# DDoS attacks



## Armando (May 23, 2012)

I would like to know how can I improve the performance of my server to no longer suffer DDoS or DoS attacks.

What do you recommend?


----------



## UNIXgod (May 23, 2012)

I use pf. It's simple to just write a script to scrape your logs and block the ip addresses ddosing you


----------



## shitson (May 23, 2012)

You cannot stop a DDoS with just pf per se. Even if pf is blocking a Denial the traffic is still having to hit your machine to get denied. Therefore your incoming link will still be saturated, is this for home or at work?


----------



## Armando (May 23, 2012)

I need a good firewall to block incoming packets, would you give me one?


----------



## SirDice (May 23, 2012)

PF is pretty good. But as said, you can only do so much with a firewall. It's not going to help you if your attacker saturates your internet connection. Perhaps your ISP or hoster can help out with that.


----------



## Armando (May 23, 2012)

At least I need a good firewall to block incoming packets would you give me one?*


----------



## SirDice (May 23, 2012)

Yes, PF.


----------



## Armando (May 23, 2012)

Is the PF but I've got some other firewall that would block the attacker IP.


----------



## SirDice (May 23, 2012)

_Any_ of the three firewalls will block incoming packets. That's their whole purpose of existence. 

However, none of them are going to protect you against an attacker that's able to saturate your internet connection.


----------



## Armando (May 23, 2012)

Wait I understand my problem maybe the PF is not installed properly, I notice that the kernel in folder: /usr/src/ no file.


----------



## UNIXgod (May 23, 2012)

Interesting. When I had the problem it I just scripted a small scraper and called it from cron. Though the attack was coming from every country on the planet it never actually saturated my NIC. After a couple of days I was blocking pretty close to 12,000 IP addresses. I didn't realize how big some of these zombied botnets were.

So the proper way would to have a dedicated pf/gateway I assume. Is there a quicker way to populate the table without parsing the log?


----------



## SirDice (May 23, 2012)

UNIXgod said:
			
		

> Is there a quicker way to populate the table without parsing the log?


You can throttle connections with PF. If I remember correctly the man page has some nice examples. But besides that there isn't much you can do since you don't know in advance where the attacks will come from. All you can do is react after the fact.


----------



## Deleted member 30996 (May 23, 2012)

UNIXgod said:
			
		

> So the proper way would to have a dedicated pf/gateway I assume.



pfSense is very nice if you've got an old machine sitting around collecting dust. It runs great on my Dell with a 2.66GHz P4 and 1.25GB RAM.

And while the pf firewall will block incoming packets anyway there is a pfBlocker app that comes with it you can set to block incoming and outgoing traffic to countries all over the world.


----------



## bbzz (May 23, 2012)

You need to work with your ISP so they can blackhole the traffic. Otherwise, as it was mentioned before, your link will get saturated anyway.


----------



## pacija (May 23, 2012)

Couldn't attackers be blocked with PF like this...


```
table <webddos> persist
block log quick inet from <webddos>
pass in on $ext_if inet proto tcp from any to $webserver port { 80 443 } synproxy state \
        ( max-src-conn-rate 100/60, overload <webddos> flush global )
```

...meaning block completely (not just ports 80 and 443) every IP address which places more than 100 requests in 60 seconds period? Of course you could tweak number of requests and period according to your situation, or do additional source tracking (explained in pf.conf(5)).

Line in cron resets ban once per week (sometimes good host dinamically gets IP address which previously belonged to DoS-er):

```
@weekly /sbin/pfctl -t webddos -T expire 60
```


----------



## kpa (May 23, 2012)

That won't stop the remote hosts from trying to send the DDoS traffic to your IP address, it will still hit the next router upstream and bring it down to its knees.


----------



## bbzz (May 23, 2012)

@pacija
Yeah, you could, but the point is that packets already enter your link, which means that DDoS is doing it's thing - denying other legitimate packets to enter your link.

The only way to truly alleviate DDoS is to have huge resources in bandwidth and servers which could "eat up" the attack, while working with your ISP to block traffic upstream before it enters your links.


----------

