Re: can i use openBSD4.2 for prevention of DoS attacks

[Han Hwei Woo <hhw_(_at_)_pce-net_(_dot_)_com>]

It's important to differentiate what type of DoS attack you're referring 
to. Whether it's a network traffic based DoS (bandwidth or pps), or a 
software vulnerability based DoS makes a world of difference. The 
patches you're referring to are probably based on software 
vulnerabilities in OpenBSD itself, and can be exploited without a large 
amount of traffic. To test the DoS vulnerability in software, you would 
either need to code something up yourself to take advantage of the 
vulnerability, or look for some proof of concept code that does it.

To stop remote software based DoS'es on other platforms using OpenBSD as 
a router/firewall is a bit trickier. If the attack is on a legitimate 
service that needs to be open, you'd need deep packet inspection. You 
could use Hogwash, that makes use of Snort to do inline packet scrubbing.

As for traffic based attacks, there are single source DoS'es that can't 
be stopped, just as there are DDoS'es that can be stopped easily. What 
matters most if whether the attack traffic can be distinguished from 
legitimate traffic, or whether your network/hardware/server can handle 
the attack volume.

Of course, a single source DoS is easier to distinguish from legitimate 
traffic, since you can just block the source IP, but some DDoS'es are 
also easy enough to filter out based on protocol, port, etc.

OpenBSD/PF does a good enough job with smaller network attacks. Your 
hardware, configuration, rule set, etc.. will all affect how much 
traffic your setup can handle. For larger attacks, you'll need 
specialized hardware that makes use of ASIC's instead of generic PC 
hardware. For the really big attacks, there's nothing you can do 
yourself, as the attack will need to be handled upstream by a DDoS 
mitigation provider, like Ypigsfly http://www.ypigsfly.com .


-Han Hwei Woo




Sunnz wrote:
> 2008/7/2 kavitha reddy <dwaramkavithareddy_(_at_)_yahoo_(_dot_)_com>:
>   
> > sir,
> >    Iam kavitha working as ASSOC. Prof. in a reputed engg. college,INDIA.I
> > would be very much glad to if u can do this favour.
> > very recently  i bought openBSD 4.2 (pack of 3CD's).Now, as a part of my
> > research work iam interested to know whether it is possible to show DoS
> > attacks in openBSD 4.1  .If so let me know how can that be possible.As u said
> > when a patch added to openBSD 4.2 , prevents remote DoS attacks.How can this
> > be tested.
> > With ur kind help , i can further continue my research work on this.
> > Anyhow, thanks for sparing ur valuable time to read this.
> > kavitha
> >
> >
> >     
>
> Are you sure you want to prevent DoS attack? Or DDoS attack? As far as
> I know of you can only prevent a DoS attack, but it is impossible to
> prevent DDoS attack within the system itself on any OS on the planet.
>
> Also, the latest release of OpenBSD is 4.3, 4.2 is still being
> maintained and 4.1 would have discontinued support.
>
> You might get better answers by searching in the misc archive.