Use Freebsd + IPFW to handle small-scale DDoS attacks

The company has a total of 10 Web servers, using Redhat Linux 9 as the operating system, distributed in major cities across the country, mainly to provide users with HTTP Services. Some users once reported that some servers were slow to access or even inaccessible. After checking, they found that they were under DDoS attack (distributed denial of service attack ). Due to the scattered distribution of servers, the hardware firewall solution is not available. Although IPtables is powerful enough to cope with most attacks, Linux systems are inherently weak in defending against DDoS attacks, I had to find another solution.

1. Freebsd's charm

The advantage of Freebsd is that, in an accidental test, an Internet is virtualized in the LAN, A Windows client is used to send Syn Flood data packets to a Windows Server, a Linux Server, and a Freebsd without any preventive measures. (Common DDoS attacks mainly rely on sending Syn Flood data to the Server. completed ). When Windows reaches 10 packets, it completely stops responding. When Linux reaches 10 packets, the connection becomes abnormal, freebsd can handle more than 100 Syn Flood packets. I decided to replace all the company's Web servers with the Freebsd platform.

After using Freebsd, it has been a period of time. However, some users have reported that the website cannot be accessed normally. The symptoms are that the webpage is slow or the website cannot be found. Use netstat? A found that there were exactly 50 connections from an IP address in the FIN_WAIT 1 status. This was an obvious DDoS attack. It seems that Freebsd is not omnipotent without a firewall, so I thought of installing a firewall.

I read N more information and learned that the most common FireWall in Freebsd is IP FireWall, which literally means IP FireWall (IPFW. However, if you want to use IPFW, You need to compile the Freebsd system kernel. For the sake of security, IPFW rejects all network services by default after compilation, including rejection of the system itself. Now I am completely "cold, what can I do if I put it on a server outside China?

You must be careful. If you do not pay attention to the configuration, your server may reject all services. I have tested a server with Freebsd 5.0 Release installed.

Ii. Configure IPFW

In fact, we can regard IPFW installation as a software upgrade process. In Windows, if you want to upgrade a software, you need to download the upgrade package and install it; the same is true for the software upgrade process in Freebsd, but the feature we upgraded today is built into the system itself. We only need to use this feature. Before enabling this function, we need to make some preparations.

Configure the basic parameters of IPFW.

Step 1: Prepare

Perform the following operations at the command prompt:

# Cd/sys/i386/conf

If this directory is not displayed, it indicates that your system has not installed the ports service. Remember to install it.

# Cp GENERIC./kernel_IPFW

Step 2: Kernel rules

Open the kernel_IPFW file in the editor and add the following four lines at the end of the file:

Options IPFIREWALL

Compile the code of the package filtering part into the kernel.

Options IPFIREWALL_VERBOSE

Enable logs recorded through Syslogd. If this option is not specified, record packages are not recorded even if you specify a record package in the filter rule.

Options IPFIREWALL_VERBOSE_LI

MIT = 10

Limit the number of records per packet rule recorded by Syslogd. If you are under a large number of attacks and want to record the firewall activity, but do not want to cause your log writing failure due to the Syslog flood, this option will be very useful. With this rule, when a certain item in the Rule chain reaches the limit value, its corresponding logs will not be recorded.

Options IPFIREWALL_DEFAULT_TO

_ ACCEPT

This sentence is the most critical. Change the default rule action from "deny" to "allow ". The role of this command is that, by default, IPFW will accept any data, that is, the server looks like there is no firewall. If you need any rules, after the installation is complete, add it directly.

After the input is complete, save the kernel_IPFW file and exit.

3. Compile the system kernel

Freebsd, like Linux, is an open-source operating system. Unlike Windows, the code is encapsulated. If something goes wrong, we can only guess or consult Microsoft; as the Freebsd system kernel is constantly being upgraded, we usually need to compile the system kernel to use the features in the new version or to customize a more efficient and stable system.

Of course, we compile the kernel here to get a more efficient system, rather than using the new features;

During compilation, some errors may be prompted. To minimize the number of error prompts, we have reduced the configuration file to a minimum, check whether there are any input errors or other minor issues.

Step 1: Compile the required commands

Run the following command on the command line:

#/Usr/sbin/config kernel_IPFW

After the execution is complete, the following prompt will appear: Kernel build directory is ../compile/kernel_IPFW Don't forget to do a make depend'

# Cd ../compile/kernel_IPFW

Note that Freebsd version 4. X is.../compile/kernel_IPFW, but Freebsd version 5.0 is./compile/kernel_IPFW.

# Make

# Make install

Step 2: Start to compile the kernel

Depending on the system performance, the time is also different. The normal dual-P4 XEON 1 GB memory server can be completed in about 5 minutes.

4. Load startup items

After compilation is complete, we need to perform the following operations to enable the system to automatically start IPFW and record logs:

Step 1: edit/etc/rc. conf in the editor.

Add the following parameters:

Firewall_enable = 'yes'

Activate Firewall

Firewall_script = '/etc/rc. Firewall'

Default Firewall script

Firewall_type = '/etc/ipfw. conf'

Firewall Custom Script

Firewall_quiet = 'no'

Whether the rule information is displayed when the script is enabled. If your firewall script is no longer modified, you can set it to "YES.

Firewall_logging_enable = 'yes'

Enable Firewall Logging

Step 2: edit the/etc/syslog. conf file.

Add the following content at the end of the file:

! Ipfw

*. */Var/log/ipfw. log

This line is used to write IPFW logs to the/var/log/ipfw. log File. Of course, you can also specify other directories for the log file.

After completing the preceding steps, restart your computer.

5. Use and save rules

After that, you will find that you can use SSH to log on to your remote server.

Step 1: Test

You won't find any changes in your system when you log on, but you can try the following command: # ipfw show, which will output the following results: 65535 322 43115 allow ip from any to any. It tells us that IPFW has been enabled successfully and allows any connection.

Step 2: Use

Enter the following command at the command prompt: # ipfw add 10001 deny all from 218.249.20.135 to any.

Deny any service from 218.249.20.135. After the service is executed, you will find that all services from IP218.249.20.135 will be rejected.

Step 3: Save

Add this code to the/etc/rc. firewall file: ipfw add 10001 deny all from 218.249.20.135 to any. Run the following command: # sh/etc/rc. firew

All

Indicates that the # sign is not required when saving it to rc. firewall, and then the IPFW rule is re-loaded.

Or restart your system once, And your IPFW will take effect. As long as you do not manually release it, all information from 218.249.20.135 will be rejected.