suggested configuration for apf's anti-dos?

[Secret Agent]

Please suggest recommended anti-dos (from APF) settings (default below)

#
# antidos beta 0.6 [[email protected]]
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico please start it with the -w switch.
# (e.g: pico -w filename)
#
##
# [Main Configuration]
##
#
# Installation base path of apf
APF_BASE="/etc/apf"
#
# Config file path for apf
APF_CNF="$APF_BASE/conf.apf"
#
# Installation path
INSPATH="$APF_BASE/ad"
#
# Log file for antidos
ANTILOG="/var/log/apfados_log"
#
# Max load; do not allow antidos to run passed this load level
MLOAD="30"

##
# [Attack Triggers & Routines]
##
#
# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="0"
#
# Parse snort portscan log for attacks [0=off,1=on]
LP_SNORT="0"
#
# Try to detect syn-flood attacks [0=off,1=on]
DET_SF="0"
#
# Kernel log file
KLOG="/var/log/messages"
#
# Snort portscan log file [experimental]
SLOG="/var/log/snort/portscan.log"
#
# Trigger value before we drop an event SRC
TRIG="20"
#
# Trigger value before we drop syn-floods for SRC
SF_TRIG="25"
#
# Trigger ports for syn-flood; null for all
SF_TRIG_PORTS="80,443"


##
# [Attack Filtering]
##
#
# Reject attackers in route table [0=off,1=on]
ROUTE_REJ="0"
#
# Drop destination interface [0=off,1=on]
DROP_IF="0"
#
# Do not drop interface for events matching these ports;
# line seperated strings.
NCRIT_PORTS="$INSPATH/noncrit.ports"
#
# Block attacks with iptables [0=off,1=on]
IPT_BL="1"
#
# Were to write iptable rules too
BLOCKR="$INSPATH/ad.rules"

##
# [E-Mail Alerts]
##
#
# Topic for warning emails
ARTOPIC="Urgent: Administrative issue enclosed, please read."
#
# Max number of emails to send
MAX_MNUM="12"
#
# Send out user defined attack alerts [0=off,1=on]
CONAME="Your Company"
#
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
#
# User for alerts to be mailed to
USR="[email protected]"


##
# [E-Mail Alerts]
##
#
# Topic for warning emails
ARTOPIC="Urgent: Administrative issue enclosed, please read."
#
# Max number of emails to send
MAX_MNUM="12"
#
# Send out user defined attack alerts [0=off,1=on]
CONAME="Your Company"
#
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
#
# User for alerts to be mailed to
USR="[email protected]"
#
# Send out ip-whois abuse alerts upon attack [0=off,1=on]
ARIN_ALERT="0"
#
# Whois server for default queries
IPW_SRV="whois.arin.net"
#
# Return path for email alerts (reply address)
RETUSR="$USR"

##
# [Misc Paths]
##
#
# Arin attack warning file
WARIN="$INSPATH/arin.msg"
#
# User attack warning file
WUSR="$INSPATH/usr.msg"
#
# Ignore file, for ignoring hosts/specific patterns
IGNORE="$INSPATH/ignore"
IGNORE_HOSTS="$INSPATH/ignore.hosts"
#
# Data file to track amount of emails sent
MNUM_F="$INSPATH/.mnum"
#
# Firewall chains keyword file
FWCHAINS="$INSPATH/chains"
#
# Just a temp file we can write to
TMPF="$INSPATH/.ad.swp"
#
# Grab the systems numeric timezone (e.g: -0500)
TMZ=`date +"%z"`
#
# unix time for lock tracking
UTIME=`date +"%s"`
#
# lock file path
LOCK="$INSPATH/lock.utime"
#
# lock file timeout in seconds
LOCK_TIMEOUT="300"

 

[Compubuster]

For me, I change the following :

# Max load; do not allow antidos to run passed this load level 
MLOAD="10" 

# Parse klog for iptables logged attacks [0=off,1=on] 
LP_KLOG="1" 

# Try to detect syn-flood attacks [0=off,1=on] 
DET_SF="1" 

# Trigger value before we drop an event SRC 
TRIG="10" 
# 
# Trigger value before we drop syn-floods for SRC 
SF_TRIG="15"

 

[haze]

Its all a matter of what works best for you. I find the following to cause less problems on our machines:

# Trigger value before we drop an event SRC
TRIG="30"
#
# Trigger value before we drop syn-floods for SRC
SF_TRIG="35"

 

[Compubuster]

Its all a matter of what works best for you.

.. Exactly