Date: Sun, 29 Feb 2004 11:16:00 -0500 From: Don Bowman <don@sandvine.com> To: 'Mike Silbersack' <silby@silby.com>, Don Bowman <don@sandvine.com> Cc: freebsd-hackers@freebsd.org Subject: RE: em0, polling performance, P4 2.8ghz FSB 800mhz Message-ID: <FE045D4D9F7AED4CBFF1B3B813C85337045D8313@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
From: Mike Silbersack [mailto:silby@silby.com] > On Sat, 28 Feb 2004, Don Bowman wrote: > > > You could use ipfw to limit the damage of a syn flood, e.g. > > a keep-state rule with a limit of ~2-5 per source IP, lower the > > timeouts, increase the hash buckets in ipfw, etc. This would > > use a mask on src-ip of all bits. > > something like: > > allow tcp from any to any setup limit src-addr 2 > > > > this would only allow 2 concurrent TCP sessions per unique > > source address. Depends on the syn flood you are expecting > > to experience. You could also use dummynet to shape syn > > traffic to a fixed level i suppose. > > Does that really help? If so, we need to optimize the syncache. :( In a real-world situation, with some latency from the originating syn-flood attacker, the syncache behaves fine. In a synthetic test situation like this, with probably ~0 latency from the initiator, the syncache gets overwhelmed too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C85337045D8313>