Unveiling the Mystery: Is It Really 30,000?

Summary

This article discusses a DDOS prevention plan based on FreeBSD 5.3 using PF synproxy. It serves as a viable solution for small to medium-sized businesses to resist attacks with a rate of 30,000 packets per second.

Is it really 30,000…?

Environment

Firewall: Desktop P4 2G, 512MB memory, FreeBSD 5.3
WEB Server: Laptop PIII 700, 256MB, SUSE Linux Enterprise Server 9
Attack Machine: Laptop: PIII 700, 256MB, WIN2000 SERVER
Attack Tool: HGOD v0.4
Test Machine: Laptop: PIII 700
Topology:
=====
Firewall:
xl0 External NIC: 172.16.0.1; sis0 Internal NIC: 192.168.100.1
WEB Server: eth0 192.168.100.2
Attack Machine: 172.16.0.194
Test Machine: 172.16.0.195

1. Compile the Kernel
shell
# cd /usr/src/sys/i386/conf
# cp GENERIC billy-pf
# vi billy-pf

Add the following:
shell
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ # Class Based Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build
# config billy-pf
# cd ../compile/billy-pf
# make depend; make; make install

2. Edit Startup Script
Edit the `/etc/rc.conf` file:
shell
pf_enable=”YES” # Enable PF (load module if required)
pf_rules=”/etc/pf.conf” # Rules definition file for PF
pf_flags=”” # Additional flags for pfctl startup
pflog_enable=”YES” # Start pflogd(8)
pflog_logfile=”/var/log/pflog” # Where pflogd should store the logfile
pflog_flags=”” # Additional flags for pflogd startup
gateway_enable=”YES”

3. Modify `/etc/pf.conf`
shell
ext_if=”xl0″
int_if=”sis0″
internal_net=”192.168.100.1/24″
external_addr=”172.16.0.1″
web_server=”192.168.100.2″

nat on $ext_if from $internal_net to any -> ($ext_if)

> Reason for parenthesis around `($ext_if)`: If you use DHCP to configure the external address and do not include parentheses, there may be issues. If the assigned IP address changes, NAT will still use the old IP address for translation, causing outbound connections to fail. Adding parentheses ensures that PF automatically updates the translation address.

shell
rdr on $ext_if proto tcp from any to $external_addr/32 port 80 -> $web_server port 80

> This redirects TCP port 80 (web server) traffic to the internal network address `$web_server`. Therefore, external users can access the web server even if it is located behind the gateway on the internal network.

shell
pass in on $ext_if proto tcp from any to $web_server port 80 flags S/SA synproxy state

> This applies SYNPROXY on connections to port 80 of the external address to prevent DDOS attacks.

4. Modify Gateway IP on 192.168.100.2
Set the gateway IP to `192.168.100.1`.

5. Edit `/etc/sysctl.conf`
Uncomment or add the following line:
shell
net.inet.ip.forwarding=1

This enables the firewall to perform IP forwarding. Restart the system.

6. Test
Before launching the attack, access the web server:

http://172.16.0.1/index.html (The homepage of the web server opens successfully)

Attack: Launch a DDOS attack targeting port 80 of the firewall’s external IP (172.16.0.1):
shell
hgod 172.16.0.1 80

Monitor the WEB server (192.168.100.2) to observe connections to port 80 and the number of packets received. Also, evaluate the attack intensity on the firewall (