Small scale DDoS (denial of service) with FREEBSD+IPFW

The author of the company a total of 10 Web servers, using Redhat Linux 9 as the operating system, distributed in major cities nationwide, mainly to provide users with HTTP services. There was a time when a lot of users reflected some of the server access speed is slow, or even inaccessible, after the inspection found that the DDoS attack (distributed denial of service attacks). Because the server distribution is too loose, can not adopt the hardware firewall scheme, although the iptables function is strong enough to deal with most of the attack, but the Linux system itself on the DDoS attack of the defensive force is weak, had to find another way.

One, the charm of FreeBSD

The benefit of discovering FreeBSD is that in an accidental test, an internet is virtualized on a LAN, one Windows client to a Windows Server, Linux The server and a FreeBSD send SYN flood packets without any precautions (common DDoS attacks are done primarily by sending SYN flood data to the server). Windows completely stops responding when it reaches 10 packages, and Linux starts to connect when it reaches 10 packets, while FreeBSD can withstand more than 100 SYN flood packets. The author decided to change all the company's Web server to FreeBSD platform.

After the use of FreeBSD, indeed after a period of stable days. But recently there are users again reflect the site can not be normal access, performance symptoms for the user to open the Web page slow, or directly displayed to find the site. With Netstat a check to see from an IP connection just 50, the state is fin_wait 1, this is an obvious DDoS attack, it seems that FreeBSD no firewall is not omnipotent ah, so think of the installation of firewalls.

Read the N more information, understand the FreeBSD under the most common firewall called IP FireWall, Chinese literal meaning is called IP Firewall, referred to as IPFW. However, if you want to use IPFW, you need to compile the FreeBSD system kernel. For security reasons, at the end of the compilation, IPFW is the default to deny all network services, including the system itself will be rejected, I am completely "cold", I put in the field of the server how to do ah?

Everyone here must be careful, the configuration of a little attention may allow your server to deny all services. The author was tested on a server with FreeBSD 5.0 release.

Second, configure IPFW

In fact, we can completely view the installation of IPFW as a software upgrade process, in Windows, if you want to upgrade a software, you need to download the upgrade package, and then install; in FreeBSD, the process of upgrading the software is the same, but the feature we upgraded today is built into the system itself, We just need to take advantage of this function. Before we open this function, we have to do some preparation work.

The basic parameters for configuring IPFW are set up below.

STEP1: Preparing for work

At the command prompt, do the following:

#cd/sys/i386/conf

If the hint does not have this directory, it means that your system does not have the ports service installed, remember to install.

#cp GENERIC./kernel_ipfw

STEP2: Kernel Rules

With the editor open KERNEL_IPFW this file, add the following four lines at the end of the file:

Options Ipfirewall

Compile the code for the Packet filtering section into the kernel.

Options Ipfirewall_verbose

Enable logs logged through SYSLOGD; If you do not specify this option, even if you specify a packet in the filter rule, they are not actually recorded.

Options Ipfirewall_verbose_li

mit=10

Limit the number of record bars per package rule that is logged through SYSLOGD. This option is useful if you are under a lot of attack and want to log the activity of the firewall, but do not want to cause your journal write to fail due to the Syslog flood records. With this rule, when an item in a chain of rules reaches a limit value, its corresponding log is no longer recorded.

Options Ipfirewall_default_to

_accept

This sentence is the most important. The default rule action will be changed from "Deny" to "allow". The function of this command is that, in the default state, IPFW will accept any data, that is, the server looks like no firewall, if you need any rules, after the installation is completed directly Add.

Save the Kernel_ipfw file and exit after the entry is complete.