On Feb 10, 2013, at 4:42 AM, James Howlett wrote: > Hello, > > >> I think you'll get some better input if you address some of what Kevin noted >> above. What firewall (if any) is in place? What rules are currently in >> place? What tuning have you done so far? Is polling enabled? > > 1. I use pf on the router. > 2. My setup looks like this ISP---switch---FreeBSD_router---Juniper_firewall > So as long as my router can proccess the traffic I'll can manage all the rest > (eg. customer firewalls, zoning etc) on my Juniper hardware. > 3. The rules at the moment just filter SSH connections to the router. > 4. I'm looking into enabling pooling, but I need to test it before it goes to > production. > > >> >> When you get hit, you mentioned it's 200K pps, how much bandwidth? How many >> different source IPs? > > Hard to say at the moment, but it was a DDoS for sure. Multiple hosts > connecting to one single port on a single machine. > >> I know on a "real" router, having Netflow configured and dumping info to a >> host for analysis is very helpful - I can at least see what's being >> targetted and ask my upstreams to null route the attacked IP at their edges. >> I don't know if there's a good netflow exporter available for FreeBSD that >> won't hurt more than it helps. > > I can collect sFlow from my switch so that should do it. What software would > You recomend for netflow analysis?
I'm not sure I can recommend it, because it's quite old, but I use flow-tools and just query on the command line for top X destinations - inevitably, even if the old Cisco is tanking from the load, it's able to spit out enough info to give me an idea of what's being targetted. I'm probably going to move to nfsen/nfdump, as that seems to be the modern solution: http://nfsen.sourceforge.net/ > > Jim > > _______________________________________________ > freebsd-...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscr...@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
