From owner-freebsd-net@FreeBSD.ORG Thu Sep 14 15:25:15 2006 Return-Path: X-Original-To: freebsd-net@FreeBSD.ORG Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28C8716A47B; Thu, 14 Sep 2006 15:25:15 +0000 (UTC) (envelope-from wjw@withagen.nl) Received: from freebee.digiware.nl (www.tegenbosch28.nl [217.21.251.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C06843D55; Thu, 14 Sep 2006 15:25:07 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.67] (opteron.digiware.nl [212.61.27.67]) by freebee.digiware.nl (Postfix) with ESMTP id 2B3D42AAA0; Thu, 14 Sep 2006 17:25:06 +0200 (CEST) Message-ID: <45097493.8080108@withagen.nl> Date: Thu, 14 Sep 2006 17:26:11 +0200 From: Willem Jan Withagen User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-net@FreeBSD.ORG, wjw@digiware.nl, gpalmer@FreeBSD.ORG References: <200609141512.k8EFClt9053685@lurza.secnetix.de> In-Reply-To: <200609141512.k8EFClt9053685@lurza.secnetix.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 15:25:15 -0000 Oliver Fromme wrote: > Gary Palmer wrote: > > Willem Jan Withagen wrote: > > > I received a call from a customer this morning that all of his websites were > > > no longer on line. So After some resetting and more I turnout that there > > > was a > > > serious overload on his server. Over 500 clients connected. (norm is 50) and > > > they were all trying to get this file 777.gif. (Which is not on any of the > > > sites). > > > > Why not just create a 0 length file 777.gif and let people fetch it? > > Its probably a lot less work for the server. > > I don't think so. The overhead in Apache for serving > a file is quite big. On the other hand, IPFW tables > store IP addresses in a radix tree, which should be > quite efficient even for 100,000 entries. I tried addressing that in a previous message. And I concur with you. > > By the way: If incoming bandwidth is a concern, it is > probably better to use "reset" instead of "deny" in the > IPFW rule. If you use deny, the packets are simply > dropped, causing the clients to retransmit their SYN > packets several times, while "reset" (which here means > "connection refused") causes no TCP retransmits. Reason for not doing so, is that bandwidth is not really an issue here. 2*155mbit connections to both Amsterdam and Frankfurt. :) So people with viruses banging their heads against my door, and getting stalled because of timeouts, is IMHO a nice way of slowing the harassment down. I would even consider writing something that returns 1 char per 30 secs for like forever, if it not only made me run out of serverslots/sockets/other resources.... --WjW