On 10.02.2013 14:57, James Howlett wrote:
Date: Sun, 10 Feb 2013 14:47:30 +0400 From: melifaro@FreeBSD.org To: jim.howlett@outlook.com CC: bird-users@trubka.network.cz Subject: Re: BGP/OSPF router security
On 10.02.2013 03:37, James Howlett wrote:
Hello all, Hello.
I have a single FreeBSD/bird router running BGP and OSPF. I have two full bgp feeds and some IXP sessions. Some of my users are subject to DDoS attacks which basicly kill my router. Is there anything I can do to make things better? I was thinking about adding a second router and having one full bgp feed per router. I was also thinking about joining BGP Blackholing project. But - the question remains - what else can I do to survive a ddos, or at least be able to react when a ddos occures?
It depends on kind of attacks you're facing with. If you're simply getting all your upstream ports getting fully utilized by attack - you should ask your upstreams for DDoS protection they offer (e.g. blackhole communities, or other stuff).
If we're talking about (for example, small packets flood) attack that "kills" router you probably should take a look on your system to make sure it is tuned well and there are no complex firewall processing rules.
There are some guidelines (still WIP) here: https://wiki.freebsd.org/NetworkPerformanceTuning
Btw, what amount of traffic (PPS) we are talking about?
200k pps . The problem was, that the router started to drop the OSFP related comunication, and all my network went off-line.
Well, this is not very much. Properly tuned server should handle such amount without any problems and without significant CPU usage. (e.g. we're doing complex firewalling for 1-2MPPS amounts of traffic per 2xE5645 machine, and the most cpu usage is consumed by ipfw, not routing). Probably something can be tuned a bit better (like number of queues, or thread binding, or firewall ruleset, or ..). You can write me off-list for some additional hints if you have any questions related to ipfw or network stack tuning.
All best, Jim
All best, Jim