Date: Sun, 5 Jan 2003 17:15:49 -0500 From: Barney Wolff <barney@pit.databus.com> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: Lars Eggert <larse@ISI.EDU>, freebsd-net@FreeBSD.ORG Subject: Re: Need help dealing with (D)DoS attacks (desperately) Message-ID: <20030105221549.GA81793@pit.databus.com> In-Reply-To: <20030105132545.I80512-100000@mail.econolodgetulsa.com> References: <3E18A1BA.8000607@isi.edu> <20030105132545.I80512-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 05, 2003 at 01:31:24PM -0800, Josh Brooks wrote: > So, I have 927 ipfw tules in place - but I am guessing that about 800 of > those rules are just "count" rules for me to count bandwidth: > > 001 164994 120444282 count ip from any to 10.10.10.10 > 002 158400 16937232 count ip from 10.10.10.10 to any Much of your problem is that you're running through all the rules on every packet. ipfw keeps going until it hits an allow or deny rule. Since all rules get counted, I'd suggest putting all your denies up front, and then have allow rules, not count rules, with the most heavily used addresses first. That way, many fewer rules should get interpreted for each packet. An even fancier scheme would use skipto and divide up your IP ranges in a binary search. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030105221549.GA81793>