FreeBSD 6.3 troubles with Ddos

Dark

Verified User
Hello.
My server is being attacked again.
Coul anyone give me a piece of advice how to protect FreeBSD 6.3 from ddos attacks on https?
At this moment I use mod_evasive for apache and pf.
This is pf ddos filter:
Code:
ext_if="sk0"

table <ddos> persist
block in log quick from <ddos>

pass in on $ext_if proto tcp to $ext_if \
port www flags S/SA keep state \
( max-src-conn-rate 100/5, overload <ddos> flush)
But id doesn't works :confused:
 

Rich-Boy

Verified User
In my experience mod_evasive is rather poor at preventing large-scale ddos attacks at port 80, pf has helped me out a lot though.
I would suggest modifying that pf rule a little to include the source-track rule feature so that pf will block access from individual IPs. Here's the relevant lines from my pf.conf which work well for me;

Code:
root# cat /etc/pf.conf
# External and internal interface macros
ext_if="re0"

pass in log on $ext_if proto tcp from any to any port www keep state (max 2000, source-track rule, max-src-states 120, max-src-conn 80)

# If this doesn't help you, try something a bit more fierce
# pass in log on $ext_if proto tcp from any to any port www keep state (max 200, source-track rule, max-src-states 15, max-src-conn 15)
Here's some useful pf configuration websites which you may already be aware of;
https://calomel.org/pf_config.html
http://www.openbsd.org/faq/pf/
 

HMTKSteve

Verified User
Any other tips for dealing with a DOS attack? Today I saw my server jump from 180 processes to 800+ in a matter of seconds. All of the new processes were httpd.

I have been making some changes to sysctl but I'd also like to do something with ipfw and possibly add something that will block an IP for 5 minutes if it tries to make too many connections.
 

scsi

Verified User
More then likely you would have to make a script that runs in a loop. You might want to look into some apache modules such as mod_security for ddos attacks with apache.

Or else you could limit the max amount of connections per host kinda like this:

Code:
ipfw add <rule-#> allow tcp from any to me 80 in setup limit src-addr <max-num-of-connections>
 

HMTKSteve

Verified User
More then likely you would have to make a script that runs in a loop. You might want to look into some apache modules such as mod_security for ddos attacks with apache.

Or else you could limit the max amount of connections per host kinda like this:

Code:
ipfw add <rule-#> allow tcp from any to me 80 in setup limit src-addr <max-num-of-connections>
What if they are targeting the IP and not a host?
 

tsiou

Verified User
Rich-Boy's answers is the best solution to deny this kind of connections to the "kernel level" and not the "services level". mod_security and evasive can work as a second level protection along with pf.

In general use pf to allow access only to ports that you run services like : 21, 25, 80, 110, 113, 143, 443, 465, 587, 993, 995, 2222, 8180 and what else you use, and apply to that ports the rule shown below to restrict to max connections per host per second.
 

IT_Architect

Verified User
Questions:
1. 8180 shows up in the port scan but what is it used for?
2. 113 I don't see in the port scan. Why does that need to be open?
3. Why isn't FTP-Data port 20 in the list?
4. What about the FTP ephemeral ports? (IANA range is 49152-65535)

Thanks!
 
Last edited:

tsiou

Verified User
You can google and read about ident port 113 and the use of it, read the http://slacksite.com/other/ftp.html about passive and active ftp and why you need only port 21 to be listening (of course you keep state to the server's outgoing connections).
Do you run tomcat in port 8180?
 

IT_Architect

Verified User
You can google and read about ident port 113 and the use of it, read the http://slacksite.com/other/ftp.html about passive and active ftp and why you need only port 21 to be listening (of course you keep state to the server's outgoing connections).
Do you run tomcat in port 8180?
Thank you for your reply. I did Google them before posting.
1. 8180 is used for a great many things, BlackBerry, http alternates, Tomcat, etc. I don't run Tomcat but something is there. Perhaps Apache in case I do use Tomcat. It shows up in nmap but when I tried telnetting it, I got no response.
2. 113 when I Googled came back with login. I couldn't figure out why that would be wanted. I did some more research and learned it isn't a normal login but just meant to identify the user of a connections and is only used by UNIX systems. The advantage of having it open is informational and it won't need to wait for a timeout sometimes.
3. Without port 20, active FTP would not be possible.
4. Without an FTP ephemeral port range, passive ftp would not be possible.
*With point 3 and 4 taken together, I don't see how ftp would be possible.

Thanks for your clarification!
 

tsiou

Verified User
http://www.openbsd.org/faq/pf/ftp.html

You can use the rules below :

if=em0

pass out quick on $if keep state

...other rules...

pass in quick on $if proto tcp from any port 20 to $if port > 1023 modulate state
pass in quick on $if proto tcp from any to any port > 49151 keep state

that will work for you.
 

IT_Architect

Verified User
I'm just gathering information on putting a pf firewall together, I've only worked with appliances in the past, when I seen 21 open, but not 20 or pasv ports, I assumed I may be missing something. For instance, it is possible to open and close them dynamically based on the state of the ftp connection.

On this particular server, I'm contemplating eliminating ftp. The only fly in the ointment is Dreamweaver doesn't really have a secure way of working with sites. Dreamweaver, aside from being a good site editor, is useful for figuring out what has changed where, and cleaning up unused files on the local and remote sites.

Thanks!
 

tsiou

Verified User
Sorry this rule isn't needed (its for something else)

pass in quick on $if proto tcp from any port 20 to $if port > 1023 modulate state


you can only use :

if=em0

pass out quick on $if keep state # this includes active ftp

...other rules...

pass in quick on $if proto tcp from any to any port > 49151 keep state # for passive ftp

port 20 is on outgoing connections (from local 20 to any remote), so the rule pass out quick with keep state includes active ftp and connections from your server to the client.

dreamweaver can be connected to an external ftp client for secure ftp connections. there is a how to in adobe web site...
 

IT_Architect

Verified User
dreamweaver can be connected to an external ftp client for secure ftp connections. there is a how to in adobe web site...
I'll have to dig that up. The "secure" sftp they have built in sends the user name and password in the clear, and then encrypts the transfer. :rolleyes: I've never gotten it to work because a proper SFTP refuses it but I see many others have. Of course that also that means they have a security hole big enough to drive an 18 wheeler through. Even universities that teach Computer Science don't allow students to upload assignments with it. They are required to use a different client. Dreamweaver has been that way for years. I cannot imagine that they cannot come up with an SFTP client that people write as a hobby and sell cheap or give away today.
 

tsiou

Verified User
In dreamweaver cs4 i just checked sftp and it works.
As in sftp, virtual usernames aren't supported so you can work only with the primary user/pass.
 

IT_Architect

Verified User
In dreamweaver cs4 i just checked sftp and it works.
As in sftp, virtual usernames aren't supported so you can work only with the primary user/pass.
I upgraded through CS3. What tipped me off why it didn't work for me was: http://www.cs.unm.edu/computer_facilities_and_support/making_your_cs_home_page/ Then I turned on the packet sniffer and found they were correct. No wonder I couldn't connect. I remember myself and many others screaming for years on it on their forums. I tried the eval of CS4, and fully expected to upgrade to the suite, but when I tried it, there were too many areas where I was less productive and the perks I was interested in were not real. I was really disappointed with Spry, CSS style debugging wasn't useful because with few exceptions, the only thing it found were the IE work-arounds. The environment's CSS rendering improvements were a wash between the CS3 and CS4, and the Photoshop integration was not usable because it wouldn't let me optimize images when I saved when I edited the images through Dreamweaver, so I rolled back to CS3. I would have paid money to just come close to breaking even, but that wasn't the case for me. However, I do not recall trying SFTP.(I had given up hope by then) I just went out to the forums and searched with SFTP on the Dreamweaver forum and noticed that there are no recent SFTP posts thereby reassuring me that it actually works, and works safely with CS4. CS4 may get me after all. Perhaps there is a way to drop SPRY from the install. :D

Traditionally, Aptana has been far better to develop and debug PHP and Javascript in. As an editor it is better because the matching is so much easier and quicker to use. The flip side is Dreamweaver has no match for syncing sites (even though dog slow), automatically adjusting code to match the document type, and site-wide changes due to its ability to ignore white space. Since I spend more time with the simpler aspects of pages, syncing things, validating to certain document types, and most debugging is doesn't require stepping through php or javascript to watch variables change, I tend to gravitate toward Dreamweaver. However, if I need to make a change, perhaps now is the best time to download the the latest version of Aptana to make sure Dreamweaver is still where I want to be for most of my development.

Thanks!
 
Last edited:
Top