Date: Thu, 14 Sep 2006 17:26:11 +0200 From: Willem Jan Withagen <wjw@withagen.nl> To: freebsd-net@FreeBSD.ORG, wjw@digiware.nl, gpalmer@FreeBSD.ORG Subject: Re: blocking a string in a packet using ipfw Message-ID: <45097493.8080108@withagen.nl> In-Reply-To: <200609141512.k8EFClt9053685@lurza.secnetix.de> References: <200609141512.k8EFClt9053685@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote: > Gary Palmer wrote: > > Willem Jan Withagen wrote: > > > I received a call from a customer this morning that all of his websites were > > > no longer on line. So After some resetting and more I turnout that there > > > was a > > > serious overload on his server. Over 500 clients connected. (norm is 50) and > > > they were all trying to get this file 777.gif. (Which is not on any of the > > > sites). > > > > Why not just create a 0 length file 777.gif and let people fetch it? > > Its probably a lot less work for the server. > > I don't think so. The overhead in Apache for serving > a file is quite big. On the other hand, IPFW tables > store IP addresses in a radix tree, which should be > quite efficient even for 100,000 entries. I tried addressing that in a previous message. And I concur with you. > > By the way: If incoming bandwidth is a concern, it is > probably better to use "reset" instead of "deny" in the > IPFW rule. If you use deny, the packets are simply > dropped, causing the clients to retransmit their SYN > packets several times, while "reset" (which here means > "connection refused") causes no TCP retransmits. Reason for not doing so, is that bandwidth is not really an issue here. 2*155mbit connections to both Amsterdam and Frankfurt. :) So people with viruses banging their heads against my door, and getting stalled because of timeouts, is IMHO a nice way of slowing the harassment down. I would even consider writing something that returns 1 char per 30 secs for like forever, if it not only made me run out of serverslots/sockets/other resources.... --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45097493.8080108>