Re: protection against DDoS with Syn-Flood

[Tony Sarendal <tsar@polarcap.org>]

On Tue, Feb 01, 2005 at 05:59:07PM +0100, Stefan Kell wrote:
> Hi folks,
> 
> starting on monday, heise-online (http://www.heise.de), a wellknown german
> newssite, is under a massive ddos attack with syn-flooding. As far as I
> know, they are connected to the net with 100mbit/s via switches and load
> balancers directly at the central de-cix node in Frankfurt. Their load
> balancers crashed due to the heavy load according to heise-online.
> 
> Question to the specialists here: could OpenBSD's syn-proxy feature handle
> the situation better, especially without crashes? What parameters could be
> optimized so that this load can be handled?
> 

This depends on the nature of the attack and their network.

Most DDOS attacks I deal with are in the region of 50-250kpps.
I belive that an obsd box should be able to handle the lower region of these.
I don't speak from experience though, as I can't use obsd or other
free software for the situation I am in.

I don't know any of the details of this attack, wasn't their provider
able to sort it out ? 

/Tony S

-- 
---
Tony Sarendal - tony.sarendal@polarcap.org - sip:tony.sarendal@polarcap.org
Cisco/Unix/Babies
	-= The scorpion replied,
		"I couldn't help it, it's my nature." =-