Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 Sep 2006 17:26:11 +0200
From:      Willem Jan Withagen <wjw@withagen.nl>
To:        freebsd-net@FreeBSD.ORG,  wjw@digiware.nl,  gpalmer@FreeBSD.ORG
Subject:   Re: blocking a string in a packet using ipfw
Message-ID:  <45097493.8080108@withagen.nl>
In-Reply-To: <200609141512.k8EFClt9053685@lurza.secnetix.de>
References:  <200609141512.k8EFClt9053685@lurza.secnetix.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote:
> Gary Palmer wrote:
>  > Willem Jan Withagen wrote:
>  > > I received a call from a customer this morning that all of his websites were
>  > > no longer on line. So After some resetting and more I turnout that there 
>  > > was a
>  > > serious overload on his server. Over 500 clients connected. (norm is 50) and
>  > > they were all trying to get this file 777.gif. (Which is not on any of the 
>  > > sites).
>  > 
>  > Why not just create a 0 length file 777.gif and let people fetch it?
>  > Its probably a lot less work for the server.  
> 
> I don't think so.  The overhead in Apache for serving
> a file is quite big.  On the other hand, IPFW tables
> store IP addresses in a radix tree, which should be
> quite efficient even for 100,000 entries.

I tried addressing that in a previous message. And I concur with you.
> 
> By the way:  If incoming bandwidth is a concern, it is
> probably better to use "reset" instead of "deny" in the
> IPFW rule.  If you use deny, the packets are simply
> dropped, causing the clients to retransmit their SYN
> packets several times, while "reset" (which here means
> "connection refused") causes no TCP retransmits.

Reason for not doing so, is that bandwidth is not really an issue here.
2*155mbit connections to both Amsterdam and Frankfurt. :)
So people with viruses banging their heads against my door, and getting 
stalled because of timeouts, is IMHO a nice way of slowing the harassment 
down. I would even consider writing something that returns 1 char per 30 secs 
for like forever, if it not only made me run out of serverslots/sockets/other 
resources....

--WjW




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45097493.8080108>