怎样配置才能有效防止DDOS攻击？

lqliang

想用BSD作为WEB服务器，但不知怎样配置才能有效防止DDOS攻击，有此请教各位大大们

antijp

Yesterday, I have a test on FreeBSD 6 with synflooding. FreeBSD behaved very well but strange.

Though net.inet.tcp.syncookies is on by default, I set it to zero to disable syncookie, it seems that the FreeBSD was still using syncookie. I don't know if it's the normal operation. I'll do some dig into the source to see what will happen when set the MIB to 0.

After all, you should enable device polling before any other operations.

lqliang

惨！ 看不懂英文

hbaoy

叫你用FreeBSD 6 就是了

不用看懂

偶也是EN白痴

antijp

I've explored the source code. FreeBSD has implemented two mechanisms in the kernel, one is syncache, the other is syncookie. If you tuned syncookie on, the kernel will firstly find the matching entry in the syncache when received ACK packets, if no matching entry found, the kernel will do a check on the returned SN. If you turned the syncookie off, you will probably sufferring from the synflood (D)?DOS attack

yyweng

antijp写的英文不难懂，写得比较简单

lqliang

楼上的你会就肯定说简单啦~

antijp

I am just too lazy to install the Chinese IM, though installing the fcitx just needs pkg_add -r.

[ 本帖最后由 antijp 于 2006-4-27 21:52 编辑 ]

zero-B

原帖由 antijp 于 2006-4-27 21:51 发表
I am just too lazy to install the Chinese IM, though installing the fcitx just needs pkg_add -r.

呵呵，有时pkg_add -r 并不是最好的解决办法啊！最好两个方法，要不是就从源码，要就从ports。

wigeboy

恩恩，发现语法错误