Small scale DDoS use FREEBSD+IPFW to fix _ Web surfing

Editor's note: The approach discussed in this article is only more effective for small-scale malicious attacks.

The author of the company a total of 10 Web servers, using Redhat Linux 9 as the operating system, distributed in major cities nationwide, mainly to provide users with HTTP services. There was a time when a lot of users reflected some of the server access speed is slow, or even inaccessible, after the inspection found that the DDoS attack (distributed denial of service attacks). Because the server distribution is too loose, can not adopt the hardware firewall scheme, although the iptables function is strong enough to deal with most of the attack, but the Linux system itself on the DDoS attack of the defensive force is weak, had to find another way.

One, the charm of FreeBSD

The benefit of discovering FreeBSD is that in an accidental test, an internet is virtualized on a LAN, one Windows client to a Windows Server, Linux The server and a FreeBSD send SYN flood packets without any precautions (common DDoS attacks are done primarily by sending SYN flood data to the server). Windows completely stops responding when it reaches 10 packages, and Linux starts to connect when it reaches 10 packets, while FreeBSD can withstand more than 100 SYN flood packets. The author decided to change all the company's Web server to FreeBSD platform.

After the use of FreeBSD, indeed after a period of stable days. But recently there are users again reflect the site can not be normal access, performance symptoms for the user to open the Web page slow, or directly displayed to find the site. With Netstat–a check to see from a certain IP connection just 50, the state is fin_wait 1, this is an obvious DDoS attack, it seems that FreeBSD no firewall is not omnipotent ah, so think of the install firewall.

Read the N more information, understand the FreeBSD under the most common firewall called IP FireWall, Chinese literal meaning is called IP Firewall, referred to as IPFW. However, if you want to use IPFW, you need to compile the FreeBSD system kernel. For security reasons, at the end of the compilation, IPFW is the default to deny all network services, including the system itself will be rejected, I am completely "cold", I put in the field of the server how to do ah?

Everyone here must be careful, the configuration of a little attention may allow your server to deny all services. The author was tested on a server with FreeBSD 5.0 release.

Second, configure IPFW

In fact, we can completely view the installation of IPFW as a software upgrade process, in Windows, if you want to upgrade a software, you need to download the upgrade package, and then install; in FreeBSD, the process of upgrading the software is the same, but the feature we upgraded today is built into the system itself, We just need to take advantage of this function. Before we open this function, we have to do some preparation work.

The basic parameters for configuring IPFW are set up below.

STEP1: Preparing for work
At the command prompt, do the following:
#cd/sys/i386/conf
If the hint does not have this directory, it means that your system does not have the ports service installed, remember to install.
#cp GENERIC./kernel_ipfw

STEP2: Kernel Rules
With the editor open KERNEL_IPFW this file, add the following four lines at the end of the file:
Options Ipfirewall
Compile the code for the Packet filtering section into the kernel.
Options Ipfirewall_verbose
Enable logs logged through SYSLOGD; If you do not specify this option, even if you specify a packet in the filter rule, they are not actually recorded.
Options Ipfirewall_verbose_li
mit=10
Limit the number of record bars per package rule that is logged through SYSLOGD. This option is useful if you are under a lot of attack and want to log the activity of the firewall, but do not want to cause your journal write to fail due to the Syslog flood records. With this rule, when an item in a chain of rules reaches a limit value, its corresponding log is no longer recorded.
Options Ipfirewall_default_to
_accept

This sentence is the most important. The default rule action will be changed from "Deny" to "allow". The function of this command is that, in the default state, IPFW will accept any data, that is, the server looks like no firewall, if you need any rules, after the installation is completed directly Add.

Save the Kernel_ipfw file and exit after the entry is complete.

Third, the compilation system kernel

Because FreeBSD and Linux are both open source operating systems, unlike Windows, where code is encapsulated, we can only guess, or consult with Microsoft, because the FreeBSD system kernel is constantly upgraded, and in order to use the features in the new version, Or customize a more efficient, more stable system, you usually need to compile the system kernel.

Of course, we compile the kernel here in order to get a more efficient system, rather than using the new version of the functionality;

During the compilation process, you may be prompted with some errors, in order to minimize the error hint, we have reduced the configuration file to the minimum, if there are any more error prompts, please carefully check whether there are typos and other small problems.

STEP1: Compiling the required commands
On the command line, execute the following command:
#/usr/sbin/config KERNEL_IPFW
At the end of execution, you will receive the following prompt: Kernel build directory. /COMPILE/KERNEL_IPFW Don ' t forget to does a make depend '
#cd. /compile/kernel_ipfw
In this place, note that the Freebsd 4.X version is. /.. /COMPILE/KERNEL_IPFW, but FreeBSD version 5.0 is. /compile/kernel_ipfw.
#make
#make Install

STEP2: Start compiling the kernel

Depending on system performance differences, time is also different, ordinary dual P4 XEON 1GB memory server about 5 minutes to complete.

Iv. Loading Startup Items

The compilation is complete, we want the system to automatically start IPFW and log, need to do the following:

STEP1: Editor Editor/etc/rc.conf
Add the following parameters:
Firewall_enable= "YES"
Activating the firewall firewall
firewall_script= "/etc/rc.firewall"
Default script for Firewall firewall
Firewall_type= "/etc/ipfw.conf"
Firewall Custom Scripts
firewall_quiet= "NO"
Whether the rule information is displayed when scripting is enabled, and if your firewall script is no longer modified, you can set it to "YES".
Firewall_logging_enable= "YES"
Enable log records for firewall

STEP2: Edit/etc/syslog.conf file
At the end of the file, add the following:
!ipfw
*.*/var/log/ipfw.log

The role of this line is to write the IPFW log into the/var/log/ipfw.log file, and of course you can specify a different directory for the log file.

Restart the computer when the above steps are complete.

V. Use and SAVE rules

When you are done, you will find that you can login to your remote server with SSH.

STEP1: Testing
You will not notice any changes to your system when you first log in, but you can try this command: #ipfw show, which will output the following results: 65535 322 43115 allow IP from the any. It tells us that IPFW has been successfully enabled and that any connections are allowed.

STEP2: Using
At the command prompt, enter the following command: #ipfw add 10001 deny all 218.249.20.135 to any.
Reject any service from the 218.249.20.135, and after the execution is done, you will find that all services from IP218.249.20.135 will be rejected.

STEP3: Saving
Add this code to the/etc/rc.firewall file: IPFW add 10001 deny all from 218.249.20.135 to any, run the following command: #sh/etc/rc.firew
All

Indicates that the previous # number is not required when saving into the Rc.firewall, and then the IPFW rule is loaded again.

or reboot your system, your IPFW will be in effect, as long as you do not manually release, all information from 218.249.20.135 will be rejected.