MoinQ:

FreeBSD/etc/sysctlについて、ここに記述してください。

https://twitter.com/tss_ontap_o/status/1098525232720007169

FreeBSD で IP Identification (IP-ID) をランダマイズする方法
  echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf
してリブート。

アイコラ攻撃対策として DNS 権威サーバでは必須でしょう。
DNS キャッシュサーバのポートランダマイズと合わせて注意喚起すべきだと思う。
19:09 - 2019年2月21日 

sysctl net.inet.ip.random_id=1

https://tools.ietf.org/html/rfc6864

https://gist.github.com/clemensg/8828061

net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0)

# /etc/sysctl.conf
# Clemens Gruber, 2014
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0

## I/O

# Increase VFS read-ahead
# (Samsung 830 SSD drives went from 310 MB/sec to 372 MB/sec)
# Default: 64
vfs.read_max=128

# Unbound needs big socket buffers
#kern.ipc.maxsockbuf=10000000

## Settings for FreeBSD as a router
# A speedup of 40 to 60% in packet forwarding performance!
#net.inet.ip.forwarding=1
#net.inet.ip.fastforwarding=1
# 3900 seconds allows clients who connect regularly to stay in our hostcache
#net.inet.tcp.hostcache.expire=3900
# The OS buffer / backlog queue depth for accepting new TCP connections
#kern.ipc.somaxconn=1024

# maximum segment size (MSS) specifies the largest amount of data in a single TCP segment
# For most networks 1460 is optimal, but you may want to be cautious and use
# 1440. This smaller MSS allows an extra 20 bytes of space for those client which are on a
# DSL line which may use PPPoE. These networks have extra header data stored in
# the packet and if there is not enough space, must be fragmented over additional
# partially filled packets.
# Default: 536
net.inet.tcp.mssdflt=1440

# Loopback interface tuning
net.inet.tcp.nolocaltimewait=1

# Allow the web server to quickly dump the entire requested page set into
# the network buffer (SOCK_STREAM) and free web server resources
# Set it to 256KB, should be enough for most pages
# Default 32KB
#net.inet.tcp.sendspace=262144

# Syncookies are only useful when under DOS attack
net.inet.tcp.syncookies=0
# If under DOS, set it to 1
# Also, uncomment the following:
#net.inet.tcp.syncache.rexmtlimit=0

# disable flow control for intel nics. many isp's abuse flow control to slow down
# customers even though you are not using your full bandwidth. (default 3)
#dev.em.0.fc=0

# General Security and DoS mitigation.
net.inet.ip.check_interface=1         # verify packet arrives on correct interface (default 0)
net.inet.ip.portrange.randomized=1    # randomize outgoing upper ports (default 1)
net.inet.ip.process_options=0         # IP options in the incoming packets will be ignored (default 1)
net.inet.ip.random_id=1               # assign a random IP_ID to each packet leaving the system (default 0)
net.inet.ip.redirect=0                # do not send IP redirects (default 1)
net.inet.ip.accept_sourceroute=0      # drop source routed packets since they can not be trusted (default 0)
net.inet.ip.sourceroute=0             # if source routed packets are accepted the route data is ignored (default 0)
net.inet.icmp.bmcastecho=0            # do not respond to ICMP packets sent to IP broadcast addresses (default 0)
net.inet.icmp.maskfake=0              # do not fake reply to ICMP Address Mask Request packets (default 0)
net.inet.icmp.maskrepl=0              # replies are not sent for ICMP address mask requests (default 0)
net.inet.icmp.log_redirect=0          # do not log redirected ICMP packet attempts (default 0)
net.inet.icmp.drop_redirect=1         # no redirected ICMP packets (default 0)
net.inet.icmp.icmplim_output=1        # show "Limiting open port RST response" messages (default 1)
net.inet.tcp.always_keepalive=0       # tcp keep alive detection for dead peers, can be spoofed (default 1)
net.inet.tcp.drop_synfin=1            # SYN/FIN packets get dropped on initial connection (default 0)
#net.inet.tcp.fast_finwait2_recycle=1  # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0)
net.inet.tcp.icmp_may_rst=0           # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.msl=15000                # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000)
net.inet.tcp.path_mtu_discovery=0     # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)
net.inet.tcp.rfc3042=0                # disable limited transmit mechanism which can slow burst transmissions (default 1)
net.inet.tcp.sack.enable=1            # TCP Selective Acknowledgments are needed for high throughput (default 1)
net.inet.udp.blackhole=1              # drop udp packets destined for closed sockets (default 0)
net.inet.tcp.blackhole=2              # drop tcp packets destined for closed ports (default 0)

## IPv6 Security
# Disable Node info replies
net.inet6.icmp6.nodeinfo=0
# Turn on IPv6 privacy extensions
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
# Disable ICMP redirect
net.inet6.icmp6.rediraccept=0