Date: Thu, 14 Sep 2006 17:12:47 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-net@FreeBSD.ORG, wjw@digiware.nl, gpalmer@FreeBSD.ORG Subject: Re: blocking a string in a packet using ipfw Message-ID: <200609141512.k8EFClt9053685@lurza.secnetix.de> In-Reply-To: <20060914144130.GB17002@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Gary Palmer wrote: > Willem Jan Withagen wrote: > > I received a call from a customer this morning that all of his websites were > > no longer on line. So After some resetting and more I turnout that there > > was a > > serious overload on his server. Over 500 clients connected. (norm is 50) and > > they were all trying to get this file 777.gif. (Which is not on any of the > > sites). > > Why not just create a 0 length file 777.gif and let people fetch it? > Its probably a lot less work for the server. I don't think so. The overhead in Apache for serving a file is quite big. On the other hand, IPFW tables store IP addresses in a radix tree, which should be quite efficient even for 100,000 entries. By the way: If incoming bandwidth is a concern, it is probably better to use "reset" instead of "deny" in the IPFW rule. If you use deny, the packets are simply dropped, causing the clients to retransmit their SYN packets several times, while "reset" (which here means "connection refused") causes no TCP retransmits. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "That's what I love about GUIs: They make simple tasks easier, and complex tasks impossible." -- John William Chambless
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609141512.k8EFClt9053685>