[pfSense Support] pfsense and DDOS
An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse I think the article is mostly just scare marketing, but it raises the question of how a firewall would best react to a DDOS scenario. I recently read a page in the pfsense docs (can't find it in the wiki or FAQ now), which I believe quoted the pfsense book (don't have it), where cmb states that pfsense is the best open source firewall, and one of the best firewalls at handling DDOS attacks. So the thing I'm wondering now, is best practice in terms of hardening pfsense against DDOS. Acknowledging that DDOS is best handled in cooperation with your provider, what can we do at our end? Or are the default firewall settings pretty tight in that regard? Is there anything one might do that would inadvertently expose one's pfsense to DDOS-related troubles? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense and DDOS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2011 11:25 AM, David Burgess wrote: An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse Firewalls do make DDOS attacks worse in front of a large web farm. The state tables get exhausted very quickly. The various large web farms out there don't have a firewall in front of them. Just run limited ports. Of course they also have load balancers, packet sprayers, CDN etc. Not your typical environment. So the thing I'm wondering now, is best practice in terms of hardening pfsense against DDOS. If it's a well executed DDOS, they can take you out with just a few thousand pps. Just gotta know how to flood the session/state tables. Granted with pfsense and an x86 box with lots of ram/cpu you'll probably be fine for quite a while. Do some research into the hardware router/firewall vs software based one (in particular Linux based firewalling/routing) and you'll find all sorts of material. BSD seems more mature. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNSJmmAAoJEMvvG/TyLEAt48kQAKT5vTJLx/Uj8lI7JzqNeWcy oMHnqtKrKLfWPo2XijJ9dgS5eS3Np3HP1CUpEVndmHnlclddXWaJ1CfTVqw6dWkp mS78e99xOHUjnqEvAnQxPNw9qrUa5g5uoT4VnfsrQl4Gf+osALbC3biOBGvn9BNw ZpEO4bP0vZyBEILAMCJty/JhplT1q7fDgESQHVj8bz81x/BrYXzkitvs9OYmy9v3 V6Wa647wHKld1cTO4BVlUC68Pb71vjZNYeveUg8C9tWoggKta/sjCZ1Gesb5pIYF NcOGQ+IR7pLNP0DxvhUO0q7AiGWM/AQ3Uey1QSlep3X8/XOIFf53LCNV2MHSYklz Q/BWKKgKURFodV2Dp1jAEtUkBvguBO8F8gxHM5oVm38i8Ma85rr0g67NvW2z7+jT lSU2V/hpRavUKmsUqHYXEAT3Q9OjvF03S1oqQ4mK5/a4egny8k9mntGTYyjlHBZk YE0wIPXXrARwhTuKwk41rpUqginOtYzDUfbFjMeW5kyABYFY2W3HbmdK4k7Hkvkd vJqMrtm2IMEvzeAdlcVslgbzg8pG3eBP0Cr5zWNEG7pUWrRsV11OfTtfeE81ZgIl qkMqbfpSkL65Y+kj/MThpI7odX1DBgtCN+NJ+PiG5ZKYmuHkDYmMsNOEK/EAodQ1 08VDwOt9knO75hvfLLc8 =Nb1x -END PGP SIGNATURE- - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense and DDOS
On Tue, Feb 1, 2011 at 2:25 PM, David Burgess apt@gmail.com wrote: An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse I think the article is mostly just scare marketing, but it raises the question of how a firewall would best react to a DDOS scenario. The article would be more accurate to say network components that are inadequately sized or configured to handle a DDoS attack make them worse. I've seen DDoS attacks with a packet rate to kill a Cisco router at the edge with as simple of a routing configuration as can possibly exist, but not nearly enough to kill the firewall sitting behind it. For most of us, it matters none, we simply don't have enough bandwidth, unless it's a lame attacker or you have a 10 Gb Internet pipe (even that wouldn't be nearly enough for some attacks). From experience fighting a number of DDoS attacks, what generally happens is they'll throw enough at you to knock you offline, whatever that takes. If you're running with a default 1 state table that doesn't take much. Increase that and the attack gets bigger. At which point you may max out your hardware's ability to handle states. Drop in a box with more RAM and a much bigger state table, PF state timer tweaks that can help when you have very high rates of state insertions and deletions, and the attack gets bigger still - usually at this point exhausting your Internet bandwidth. At which point you're stuck, your ISP has to help you, nothing you put in place is going to relieve the fact that your pipe is full. Usually they'll blackhole route the affected IP so all your other IPs can function normally, and may do other things depending on their infrastructure and the specific attack. That's oversimplified a bit, but they've all followed that same line. If not properly sized and configured to handle a DDoS of the scale you may see in your environment, yes your firewall is probably going to be the first thing to fall over (unless you have an inadequate router in front of it). But it really doesn't matter as if it does stand up, experience at the level that virtually all of us are responsible for (1-2 Gb Internet at most), they're going to kill your connection regardless of what you have behind it. If you're Google, Facebook, Yahoo, etc. yeah, you don't want firewalls in front of your web farm. If you have a few hundred servers or less (varying depending on specifics of the environment), it virtually never matters, make sure you have decent settings in place to handle as much as possible, and have a good relationship with your provider and discuss with them in advance what they will do to help if you're hit with a DDoS, and don't worry about it. Having a firewall as a single ingress and egress point into small to mid sized hosting environments is beneficial for many reasons, and properly sized and configured it's not going to leave you any worse off when under DDoS attack than you're going to be anyway. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense and DDOS
sorry for top post. Some better ISPs have options for rate limiting your connection in the event of a DDOS, meaning their systems will take the brunt of the hit and not route it to your firewall. this can vary from temporarily offlining you to absorb the packet storm or dropping connection attempts after a set pps level. then again, this is also what right sizing your system load to handle and making proper systems to handle the load. there has to be some set level at which you will just stop trying to stay online and just offline yourself so as not to be absorbing useless traffic. In general I disagree with the idea as some servers/services are harder to recover from DDOS attacks than the firewall filling its state table and slowly dumping them. I've seen webservers going into full kernel panics where a firewall/router taking the hit would have just locked up for a minute or so. In general it should be a multi-staged approach, not a single piece of wondergear doing everything. -Sean -Original Message- From: Charles N Wyble Sent: Tuesday, February 01, 2011 6:39 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfsense and DDOS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/01/2011 11:25 AM, David Burgess wrote: An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse Firewalls do make DDOS attacks worse in front of a large web farm. The state tables get exhausted very quickly. The various large web farms out there don't have a firewall in front of them. Just run limited ports. Of course they also have load balancers, packet sprayers, CDN etc. Not your typical environment. So the thing I'm wondering now, is best practice in terms of hardening pfsense against DDOS. If it's a well executed DDOS, they can take you out with just a few thousand pps. Just gotta know how to flood the session/state tables. Granted with pfsense and an x86 box with lots of ram/cpu you'll probably be fine for quite a while. Do some research into the hardware router/firewall vs software based one (in particular Linux based firewalling/routing) and you'll find all sorts of material. BSD seems more mature. - -- Charles N Wyble (char...@knownelement.com) Systems craftsman for the stars http://www.knownelement.com Mobile: 626 539 4344 Office: 310 929 8793 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNSJmmAAoJEMvvG/TyLEAt48kQAKT5vTJLx/Uj8lI7JzqNeWcy oMHnqtKrKLfWPo2XijJ9dgS5eS3Np3HP1CUpEVndmHnlclddXWaJ1CfTVqw6dWkp mS78e99xOHUjnqEvAnQxPNw9qrUa5g5uoT4VnfsrQl4Gf+osALbC3biOBGvn9BNw ZpEO4bP0vZyBEILAMCJty/JhplT1q7fDgESQHVj8bz81x/BrYXzkitvs9OYmy9v3 V6Wa647wHKld1cTO4BVlUC68Pb71vjZNYeveUg8C9tWoggKta/sjCZ1Gesb5pIYF NcOGQ+IR7pLNP0DxvhUO0q7AiGWM/AQ3Uey1QSlep3X8/XOIFf53LCNV2MHSYklz Q/BWKKgKURFodV2Dp1jAEtUkBvguBO8F8gxHM5oVm38i8Ma85rr0g67NvW2z7+jT lSU2V/hpRavUKmsUqHYXEAT3Q9OjvF03S1oqQ4mK5/a4egny8k9mntGTYyjlHBZk YE0wIPXXrARwhTuKwk41rpUqginOtYzDUfbFjMeW5kyABYFY2W3HbmdK4k7Hkvkd vJqMrtm2IMEvzeAdlcVslgbzg8pG3eBP0Cr5zWNEG7pUWrRsV11OfTtfeE81ZgIl qkMqbfpSkL65Y+kj/MThpI7odX1DBgtCN+NJ+PiG5ZKYmuHkDYmMsNOEK/EAodQ1 08VDwOt9knO75hvfLLc8 =Nb1x -END PGP SIGNATURE- - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org