[Firehol-support] Logging of DDoS attacks

Costa Tsaousis costa at tsaousis.gr
Sun Apr 3 23:56:47 CEST 2005 

Hi,

Currently the "protection" statement can detect TCP and ICMP floods. I
think it would be relatively easy to have a global flood detector there.

In v1.231 (get it from http://firehol.sf.net/firehol.tar.gz) I have
written the protection 'all-floods'. To use it, put first just after any
interface or router statement.
Syntax:

protection all-floods <freq> <burst>

For <freq> and <burst> check the docs of 'protection'.

This one puts a threshold to all NEW connection requests (any protocol),
indepedently of whether there is a listening server or not. The overflow
requests are dropped, and of course there will be a log with "ALL FLOODS"
when this happens.

Note however, that a firewall may not be the "perfect" solution for this
problem. Maybe, you need an IDS (intrution detection system). Have you
check snort?

Regards,

Costa


On Sat, April 2, 2005 1:15, Bernhard Gruen said:
> Hello Costa, hello list members,
>
> at the moment my server housing provider has some trouble with incoming
> DDoS attacks. Therefore some people on a private inofficial message board
> discussed about detection and logging of these kind of attacks.
> I stated that FireHOL has support for "accept with limit". With this
> option enabled I can log that my server is flooded on only one service.
> But I am not able to detect that my server is flooded with UDP packets on
> many fast changing ports. Someone else thought that he could use tcpdump
> to detect such a kind of attack but I am sure that this is not the best
> solution. I hope that IPtables/FireHOL is able to log such attacks too.
> Can someone give me a hint how to do this?
> Our goal is to write a tool that searches the logs for messages about
> possible DDoS attacks from IPtables/FireHOL.
>
> Many thanks for reading my message and many many thanks in advance for
> answering.
>
>
> Bernhard Gruen from Germany
>
> btw. FireHOL is beloved by many members of that private message board.
> Thank you for your piece of god-like software!
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>

More information about the Firehol-support mailing list