Date: Thu, 15 Mar 2012 20:40:49 +0000 From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net> To: Chuck Swiger <cswiger@mac.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0@yuhanna.magnetdigital.local> In-Reply-To: <13511933-562D-4887-951B-5BB01F62AB00@mac.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>, <13511933-562D-4887-951B-5BB01F62AB00@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
sori my opinion but i m not a BSD guru.. i just working on BSD like 2 month= s..=0A= i know that PF or IPFW isn't build multicore arhitecture... As i know if my= server got on heavy Syn flood traffic PF or IPFW don't enough 1 core.. =0A= i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up syn_co= okie start input errors after 600.000 syn packets per second. But while i s= et off syn cookie protection.. my server can handle much more syn packets t= hen 600.000.. =0A= Also thats why i don't use syncookies too..=0A= If there is any statefull Firewall software on freeBSD which support multic= ore process? (you know ?). i m up to set up..=0A= =0A= i will get tcpdump again with -X param.. then i will post it again..=0A= =0A= Thanks for your comments. =0A= =0A= ________________________________________=0A= From: Chuck Swiger [cswiger@mac.com]=0A= Sent: Thursday, March 15, 2012 10:30 PM=0A= To: Seyit =D6zg=FCr=0A= Cc: freebsd-net@freebsd.org=0A= Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0= release=0A= =0A= On Mar 15, 2012, at 1:17 PM, Seyit =D6zg=FCr wrote:=0A= > Thanks for quick reply.. but i don't use firewall. i tried to use PF..=0A= > Packer filter stucks up to 100.000 syn packets flooding(on open port).. W= ithout packet filter it handle much more syn flooding. Like 1Mpps can handl= e w/o interrupts that i see on my equiment=0A= > But in this case "malformed packets" i got interrupts also input packet e= rror.. cause %100 cpu..=0A= > Is there any way to stop them without firewall ? Any rfc kernel feature c= an check and stop those bogus packets ?=0A= > Or do i something wrong on PF ?=0A= =0A= I prefer IPFW myself, but you probably ran out of stateful rule slots. For= a high-volume services which is expected to be Internet-reachable (ie, por= t 80 to a busy webserver), you really just don't want to have stateful rule= s-- it's too easy to DoS the firewall itself, as you noticed. In any event= , you don't need state if you are just blacklisting attack sources.=0A= =0A= You haven't really identified what you mean by "malformed", but maybe you a= re talking about a SYN flood, in which case make sure that SYN cookies and = SYN cache are enabled...=0A= =0A= Regards,=0A= --=0A= -Chuck=0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0>