Flood and Bandwith Protection

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm working for an ISP and I'm trying to find a solution to some real
annoying flood problems. I have to control the traffic over a Gig-link
(About 600mb/s). I tried with snort and it's nearly impossible.

Specific Action required: Block the destination IP (Yeah, own customer)
when he receive more than 3mb/s of traffic per minutes. Is there a
snort rule that allow that.. or anything else somebody is aware of ?

Here's a short draw of the network

(provider) --- Gig link --- Cisco 7114 Router --- Cable Modem Users
                              Snort Linux Box

Any help or suggestion is appreciated

Re: Flood and Bandwith Protection

alex.cabana@cgocable.ca wrote:
Quoted text here. Click to load it

Um, would it not make more sense to throttle things at the router? Or
maybe add a good bridging mode hardware firewall with GIG links that
supports rate limitting by destination IP address?

Re: Flood and Bandwith Protection

No, it consume too much CPU on the router unfortunately .. and the
firewall isn't in the 2005 budget ;)

So I have to find a way to make some kind of accounting to limit the
trafic for random user. Snort rules failed to detect flood (Well, it
detects some kind of flood packets, but sometimes attacker use gig link
to ping-flood our cable modem users.)

The snort freebsd box is really powerfull, something like a DELL with 2
3.8ghz cpu and raid scsi hard drive, I'm pretty sure there's something
out there that I could tweak to make it work.

Any suggestion ? Thank you for your help :)

Re: Flood and Bandwith Protection

alex.cabana@cgocable.ca skrev i meldingen
Quoted text here. Click to load it
Just some thoughts (disclaimer below):

Sounds like you want to limit outside attacks against your customers. Then
you'll want to block the source (attacker), not the destination (customer),
or am I missing something?

If you want to limit bandwidth, can you use pf queues?

I apologize if my ideas miss the point here. I only use BSD for LAN network
protection and traffic shaping, no external clients, and I am still in an
experimental stage, as is my BSD box ... ;-)

Re: Flood and Bandwith Protection

keme wrote:

Quoted text here. Click to load it

....I use FreeBSD and IPFW for this...works well...


"Microsoft isn't evil, they just make really crappy operating systems." -
Linus Torvald

Re: Flood and Bandwith Protection

Yeah I want to block my own customer.. Since the flooder uses around
1000-2000 random IP, I can't block all theses on the router. It's
easier to block the local user, the source by adding a route to null :)

For the moment my main goal is to see the attack, not take action
against it. The computer is connected on a switch and the backbone
traffic is mirrored to its switch port. The FreeBSD box isn't the
router (Obsviously, since we are a provider and there's 600mb/s of
traffic that is going out of our network)

Again, any help is appreciated :) thanks

To make a long short story, The main goal of the project is to see when
there's a certain number of traffic (Flows) that is going to a specific
IP address in our network (Something like 3mb/s), then attribute this
as a flood and make a random action (Like send an email).

Site Timeline