From owner-freebsd-net@FreeBSD.ORG Thu Sep 14 15:12:59 2006 Return-Path: X-Original-To: freebsd-net@FreeBSD.ORG Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F66916A407; Thu, 14 Sep 2006 15:12:59 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id D57DD43D45; Thu, 14 Sep 2006 15:12:58 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (bmtuhk@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k8EFCl96053686; Thu, 14 Sep 2006 17:12:52 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k8EFClt9053685; Thu, 14 Sep 2006 17:12:47 +0200 (CEST) (envelope-from olli) Date: Thu, 14 Sep 2006 17:12:47 +0200 (CEST) Message-Id: <200609141512.k8EFClt9053685@lurza.secnetix.de> From: Oliver Fromme To: freebsd-net@FreeBSD.ORG, wjw@digiware.nl, gpalmer@FreeBSD.ORG In-Reply-To: <20060914144130.GB17002@in-addr.com> X-Newsgroups: list.freebsd-net User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 14 Sep 2006 17:12:52 +0200 (CEST) Cc: Subject: Re: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-net@FreeBSD.ORG, wjw@digiware.nl, gpalmer@FreeBSD.ORG List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 15:12:59 -0000 Gary Palmer wrote: > Willem Jan Withagen wrote: > > I received a call from a customer this morning that all of his websites were > > no longer on line. So After some resetting and more I turnout that there > > was a > > serious overload on his server. Over 500 clients connected. (norm is 50) and > > they were all trying to get this file 777.gif. (Which is not on any of the > > sites). > > Why not just create a 0 length file 777.gif and let people fetch it? > Its probably a lot less work for the server. I don't think so. The overhead in Apache for serving a file is quite big. On the other hand, IPFW tables store IP addresses in a radix tree, which should be quite efficient even for 100,000 entries. By the way: If incoming bandwidth is a concern, it is probably better to use "reset" instead of "deny" in the IPFW rule. If you use deny, the packets are simply dropped, causing the clients to retransmit their SYN packets several times, while "reset" (which here means "connection refused") causes no TCP retransmits. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "That's what I love about GUIs: They make simple tasks easier, and complex tasks impossible." -- John William Chambless