DDoS mitigation

  • Hello. I own a small company that hosts some game servers.
    As you allready know, games are target of many ddos attacks.
    I am looking for a solution to stop attacks hitting the dedicated servers. I am not talking about the case when the pipe is full, I know that there is nothing you can do (except blackhole the target IP).

    The links connect to my Linux box router and I would like to connect a device (pfsense box for example) so the attacks do not hit the dedicated servers where the games are hosted.

    The attacks I receive are DNS,NTP amplication, UDP, Tcp Syn, Tcp Ack and other types.

    So...is pfsense able to stop these kind of attacks? Or at least part of them?
    Only firewall rules are used for this purpose? Is Snort used for such things?

    Thank you

  • Rebel Alliance Developer Netgate

    No firewall, pfSense included, is a DDoS mitigation device.

    Some of what you describe, depending on the volume, could maybe be handled by a firewall. The firewall alone, or maybe in some cases combined with an IDS/IPS package like Snort or Suricata. But depending on the type and/or volume of the attacks, it could easily overwhelm any firewall.

    That's why special DDoS mitigation devices and services exist, though. You need to choke off attacks closer to the source, before they reach your own network if possible.

  • @jimp said in DDoS mitigation:

    No firewall, pfSense included, is a DDoS mitigation device.

    I admit that I dont understand what you have just said :))

    Some attacks are easy to stop with firewall. For example NTP attacks, because all traffic comes from same port 123.

    But I have issues stoping UDP attacks that have spoofed IPs with random source port. Every IP sends upto 10-15 pps, but the attack reaches 100-200 kpps.

    I saw many devices that limit udp packets (lets say threshold 100 pps) but it does not stop attacks like described before. Also, you cant set a small threshold because you drop legit traffic.

    In general, i receive attacks uptop 1gbps and 300kpps. Once i received an attack uptop 900kpps.

  • @jimp A volumetric DDOS cannot be stopped by a firewall, but a modern proper firewall should be able to do line rate packet processing into the multi-gigabit range. His concern is that his firewall cannot or might not be capable of line rate processing, but possibly should be.

    I know FreeBSD, which is somewhat beyond the scope of pfSense, has issues with certain corner cases in DDOS attacks where a few megabits per second of traffic can take down a firewall that should be able to handle many gigabits. That is pathetic, but strangely the industry norm.

    It's not a fundamental issue. Even if the issue is beyond pfSense, pfSense could try to use it's business connections to light a fire under FreeBSD to fix these issues. Maybe it's an awareness issue. Maybe it's already being looked at. Maybe the issue is moot once pfSense 3.0 is out and it's not worth the relative short-term effort.

    Whatever the problem is, it's not a "can't be done", but some combination of communication, technical debt, and incompetence (not in the insulting use of the word, we're all incompetent at something and we strive to fix that).

    The end goal is to make volumetric DOS attacks the only viable attack method. Grossly asymmetric resource attacks are just poor programming being exposed. A bit of napkin math can show that pfSense(FreeBSD network stack) can spend in the ballpark of a trillion clock cycles per packet under certain attacks. What is it doing?!.. See below.

    There is a company that uses FreeBSD to block DDOS attacks, quite successfully. They had a BSDCon presentation some many years ago. Not sure how much they have upstreamed, but their talk showed that there's a lot of low hanging fruit to make FreeBSD magnitudes faster. Most has to do with replacing O(N^2) algorithms with proper O(1), O(log N) or regrettably even O(N). Some of the higher fruit is not having a globally shared state table, but one per core, which allows lockless/contentionless data-structure access and manipulation.

Log in to reply