Very Computer

The company I work for is looking for a cost effective solution to the
constant DDoS attacks that seem to be occuring on a frequent basis.

I have been charged with finding out if we can accomplish the following:

We want to set up a linux firewall with IPChains as the frontline defense
against these attacks to our web server.  The web server will reside behind
the linux firewall on an OC48 connection, but needs to have external web
traffic for our website to be accessible.

I am familiar with setting up the Linux box with IPChains and configuring
the script when I was doing * consulting, but I have only done this
for a standalone network not running a web server.

Can some one lend some assistance on this? Or am I asking too much in this
particular scenario?

TIA,

Cliff Etzel
Website Developer
PCS Internet

Linux could be up to this but you may also want to consider other
firewall options - www.gnatbox.com has a very good reputation.

As for linux ipchains and ipmasqadm should work fine - but depending on
timescales, you may want to condifuer the netfilter (iptables) facilities
of the new 2.4 kernel (included Quality of Service so you could feasably
limit the bandwidth of specific DoS attacks and leave some remaaining for
web traffic). It also allows for stateful firewall rules.

Use the SYN-cookies facilities to help circumvent some of the effects of
SYN/ACK floods.

It would be best to set up a DMZ (Demilitiarized Zone) firewall -
specifically, the firewall having 3 NICs. One interface to the internet,
one to the screwed down local LAN and the third to the public web
servers. This way you can drop some of the firewall security for the web
servers without compromising the local LAN.

Get yourself a copy of "Building Linux and OpenBSD
Firewalls", by Sonnenreich & Yates ISBN 4-713-5366-3,
published by Wiley.

It covers both the whys and hows of building a firewall.
Also, since it was built to be secure, you may wish to go
with OpenBSD.

The book was reviewed in the October Linux Journal.

--
Replies sent via e-mail to this address will be ignored

with james.knott

| As for linux ipchains and ipmasqadm should work fine - but depending on
| timescales, you may want to condifuer the netfilter (iptables) facilities
| of the new 2.4 kernel (included Quality of Service so you could feasably
| limit the bandwidth of specific DoS attacks and leave some remaaining for
| web traffic). It also allows for stateful firewall rules.

  Yes, 2.4 is far better for firewall, since it provides stateful
connection and rate limiting on packet types, so you can limit
connections from an IP to a port, from all IPs to a port, etc.

  Since masquerade, port forwarding, SNAT and DNAT are all built into
the base package, you don't need to browse the net looking for this and
that additional packages to do what you want.

| Use the SYN-cookies facilities to help circumvent some of the effects of
| SYN/ACK floods.
|
| It would be best to set up a DMZ (Demilitiarized Zone) firewall -
| specifically, the firewall having 3 NICs. One interface to the internet,
| one to the screwed down local LAN and the third to the public web
| servers. This way you can drop some of the firewall security for the web
| servers without compromising the local LAN.

  I guess... Cisco does it with their PIX (from memory) product, but I
like separate firewalls if I bother at all. That way if the outer gets
compromised the inner may yet hold. See below:

  Inet =====[outer firewall]=========[inner firewall]===[trusted hosts]
                                |
                                |
                            [servers]

  While a three NIC firewall is more like:

  Inet ============[firewall]============[trusted hosts]
                        |
                        |
                    [servers]

  You can do this with iptables easily, and with ipchains with a good
bit of thought. I would send a very limited number of services to the
servers, and never let it generate a SYN packet to the inner net.

  The added security of dual firewalls is not cost effective in most
cases, without a doubt. If remote logins are really required you can use
a VPN server on a separate machine for highest security, but again It's
not cost effective in most cases.

  They really ARE out to get you.

--

Make the rules? I don't make the rules. I don't even FOLLOW the rules!