From owner-freebsd-questions@FreeBSD.ORG Thu Sep 14 02:53:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 345DB16A412 for ; Thu, 14 Sep 2006 02:53:05 +0000 (UTC) (envelope-from snagit@cbpratt.prohosting.com) Received: from n016.sc0.cp.net (smtpout1094.sc0.he.tucows.com [64.97.144.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED43143D4C for ; Thu, 14 Sep 2006 02:53:04 +0000 (GMT) (envelope-from snagit@cbpratt.prohosting.com) Received: from [192.168.1.100] (67.47.213.85) by n016.sc0.cp.net (7.2.069.1) (authenticated as eagletree@hughes.net) id 4508ADE200005121 for freebsd-questions@freebsd.org; Thu, 14 Sep 2006 02:53:03 +0000 Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freeBSD From: Chris Date: Wed, 13 Sep 2006 19:52:53 -0700 X-Mailer: Apple Mail (2.752.2) Subject: Under Attack: Bandwidth throttling on 5.2.1? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 02:53:05 -0000 This is probably going to tax the memory. I'm sorry in advance. We observed 2 hangs and 3 crashes in the last 5 hours and finally after looking at the nature of the traffic, it appears to be little infested windows spybots from all over targeting our forums to attempt to reply to all messages with gambling and other spam. The referer in every case is a few obvious spam sites. We measured 33 pages per second and all invoking perl (well you can image the load). It's killed the system in several was I've never even seen. We shutdown on purpose for the first time in years which is pretty bad for business. I'm readying the quad opteron tyan to take down and shove in it's place since the T1 can't swamp it, but still building. The machine is a dual 3.0 xeon with 4G and Intel 1000/Pro on 5.2.1 with IPFW enabled. If I can configure throttling on this old a system, we could come back up I think and try ride out the attack. I've never done this before but in an earlier thread I saw where you configure a pipe such as: ipfw pipe 1 config bw 256Kbit/s ipfw add pipe 1 tcp from 192.168.1.2 80 then set sysctl.conf net.inet.ip.fw.one_pass=1 Is that is all that's necessary for this old a system or is there anything else. If this is correct, would this keep this fellow from crashing.