FreeBSD/etc/sysctlについて、ここに記述してください。
https://twitter.com/tss_ontap_o/status/1098525232720007169
FreeBSD で IP Identification (IP-ID) をランダマイズする方法 echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf してリブート。 アイコラ攻撃対策として DNS 権威サーバでは必須でしょう。 DNS キャッシュサーバのポートランダマイズと合わせて注意喚起すべきだと思う。 19:09 - 2019年2月21日
sysctl net.inet.ip.random_id=1
https://tools.ietf.org/html/rfc6864
https://gist.github.com/clemensg/8828061
net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0)
# /etc/sysctl.conf # Clemens Gruber, 2014 # # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. security.bsd.see_other_uids=0 ## I/O # Increase VFS read-ahead # (Samsung 830 SSD drives went from 310 MB/sec to 372 MB/sec) # Default: 64 vfs.read_max=128 # Unbound needs big socket buffers #kern.ipc.maxsockbuf=10000000 ## Settings for FreeBSD as a router # A speedup of 40 to 60% in packet forwarding performance! #net.inet.ip.forwarding=1 #net.inet.ip.fastforwarding=1 # 3900 seconds allows clients who connect regularly to stay in our hostcache #net.inet.tcp.hostcache.expire=3900 # The OS buffer / backlog queue depth for accepting new TCP connections #kern.ipc.somaxconn=1024 # maximum segment size (MSS) specifies the largest amount of data in a single TCP segment # For most networks 1460 is optimal, but you may want to be cautious and use # 1440. This smaller MSS allows an extra 20 bytes of space for those client which are on a # DSL line which may use PPPoE. These networks have extra header data stored in # the packet and if there is not enough space, must be fragmented over additional # partially filled packets. # Default: 536 net.inet.tcp.mssdflt=1440 # Loopback interface tuning net.inet.tcp.nolocaltimewait=1 # Allow the web server to quickly dump the entire requested page set into # the network buffer (SOCK_STREAM) and free web server resources # Set it to 256KB, should be enough for most pages # Default 32KB #net.inet.tcp.sendspace=262144 # Syncookies are only useful when under DOS attack net.inet.tcp.syncookies=0 # If under DOS, set it to 1 # Also, uncomment the following: #net.inet.tcp.syncache.rexmtlimit=0 # disable flow control for intel nics. many isp's abuse flow control to slow down # customers even though you are not using your full bandwidth. (default 3) #dev.em.0.fc=0 # General Security and DoS mitigation. net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0) net.inet.ip.portrange.randomized=1 # randomize outgoing upper ports (default 1) net.inet.ip.process_options=0 # IP options in the incoming packets will be ignored (default 1) net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0) net.inet.ip.redirect=0 # do not send IP redirects (default 1) net.inet.ip.accept_sourceroute=0 # drop source routed packets since they can not be trusted (default 0) net.inet.ip.sourceroute=0 # if source routed packets are accepted the route data is ignored (default 0) net.inet.icmp.bmcastecho=0 # do not respond to ICMP packets sent to IP broadcast addresses (default 0) net.inet.icmp.maskfake=0 # do not fake reply to ICMP Address Mask Request packets (default 0) net.inet.icmp.maskrepl=0 # replies are not sent for ICMP address mask requests (default 0) net.inet.icmp.log_redirect=0 # do not log redirected ICMP packet attempts (default 0) net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0) net.inet.icmp.icmplim_output=1 # show "Limiting open port RST response" messages (default 1) net.inet.tcp.always_keepalive=0 # tcp keep alive detection for dead peers, can be spoofed (default 1) net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0) #net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0) net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1) net.inet.tcp.msl=15000 # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000) net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1) net.inet.tcp.rfc3042=0 # disable limited transmit mechanism which can slow burst transmissions (default 1) net.inet.tcp.sack.enable=1 # TCP Selective Acknowledgments are needed for high throughput (default 1) net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0) net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0) ## IPv6 Security # Disable Node info replies net.inet6.icmp6.nodeinfo=0 # Turn on IPv6 privacy extensions net.inet6.ip6.use_tempaddr=1 net.inet6.ip6.prefer_tempaddr=1 # Disable ICMP redirect net.inet6.icmp6.rediraccept=0