# DDoS protection?



## Freaky (Feb 9, 2011)

Hello,

Is there a good DDoS protection for FreeBSD?

Best regards,
Freaky


----------



## DutchDaemon (Feb 9, 2011)

That's a _very_ general and broad topic ... specific questions are better.

Start here: *Unofficial FreeBSD Security Checklist / Links / Resources*


----------



## _martin (Feb 10, 2011)

Indeed - sounds more like a rhetoric question actually. 

Usually, you have to defend yourself (at least) one hop before the destination to make it really effective. But i think pf(4) is a good start too.


----------



## DutchDaemon (Feb 10, 2011)

Also note that the first victim of a DDoS attack is your bandwidth. You can secure your server, you can even take it offline, but a DDoS will flood your entire Internet connection, and maybe even part of your upstream connection. The real defence against a DDoS starts at your ISP or upstream bandwidth provider. Once it reaches your network/modem/server, you're powerless.


----------



## gkontos (Feb 10, 2011)

In theory yes, in practice it costs much more money to safeguard against DDoS attacks rather than to take alternate measures when it actually happens.
Of course, this has nothing to do with FreeBSD. Attacks are aimed at services, usually Internet services, and are always platform independent.

Regards,
George


----------



## Pushrod (Feb 10, 2011)

Really the only thing you can do about incoming DDoS is manage how the machine responds to the flooding. Incoming data is incoming data. The only solution there is as DD says, stop it before it gets to your network.


----------



## throAU (Jan 14, 2013)

Upstream filtering by your router / ISP / DDOS protection host is the best way to combat this.

As stated already, whether or not your host can withstand a DDOS or not, typically your bandwidth will be hosed anyway.  The further upstream you can have your traffic filtered against such stuff, the better.

Unless you have a very large pipe, chances are your bandwidth will run out before even 5 year old hardware will not be able to keep up.


----------



## vertexSymphony (Jan 15, 2013)

There's nohing you can do to stop it, but as anything in computer (in)security: you can mitigate it.

A good point of start is trying to determine which service is being attacked and find a pattern of attack (for example, with VERY simple bots they could be using wininet and fetching a specific path repeatedly and that's a patter you could take advantage of )

That surely won't take you out of the hot, but it will give some fresh air: It's not the same the traffic/resources spent by receiving requests (for example) than receiving requests and then actually processing them.

View it in a layered kind of fashion, in general every measure you could take is one layer that improves your scenario.

Regards.


----------



## grabes (Jan 15, 2013)

I often get generic DDOS attacks against our web services.  I have found pf does a great job in stopping them. This is not one sized fits all as some may wonder why I need as many connections as I do.  This can be easily adopted for other services besides web.


==

```
table <ddos> persist

# stop ddos
block in log quick on $ext_if proto tcp from <ddos> to $web_ip port { 80, 443 } label ddos-block

# http ddos prevention
# I would lower these limits as they are high
pass in quick on $ext_if proto tcp to $web_ip port { 80, 443 } flags S/SA label http keep state \
        (max-src-conn 120, max-src-conn-rate 180/60, overload <ddos> flush global)
```


----------

