Date: Thu, 15 Mar 2012 20:17:03 +0000 From: =?iso-8859-1?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net> To: Chuck Swiger <cswiger@mac.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local> In-Reply-To: <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local>, <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for quick reply.. but i don't use firewall. i tried to use PF.. =0A= Packer filter stucks up to 100.000 syn packets flooding(on open port).. Wit= hout packet filter it handle much more syn flooding. Like 1Mpps can handle = w/o interrupts that i see on my equiment=0A= But in this case "malformed packets" i got interrupts also input packet err= or.. cause %100 cpu..=0A= Is there any way to stop them without firewall ? Any rfc kernel feature can= check and stop those bogus packets ?=0A= Or do i something wrong on PF ? =0A= ________________________________________=0A= From: Chuck Swiger [cswiger@mac.com]=0A= Sent: Thursday, March 15, 2012 10:12 PM=0A= To: Seyit =D6zg=FCr=0A= Cc: freebsd-net@freebsd.org=0A= Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0= release=0A= =0A= On Mar 15, 2012, at 12:49 PM, Seyit =D6zg=FCr wrote:=0A= > Today we tried to see what happens Malformed syn packets on FreeBSD 9.0 r= elease..=0A= >=0A= > Those packets rise to CPU %100 and stucks..=0A= >=0A= > listening on ix0, link-type EN10MB (Ethernet), capture size 65535 bytes= =0A= > 18:33:30.010215 IP vgn44-1-88-123-89-40.fbx.proxad.net > 85.xxx.xxx.90: t= cp=0A= > 18:33:30.010242 IP 225.74.196.88.sta.estpak.ee > 85.xxx.xxx.90: tcp=0A= > 18:33:30.010269 IP Nnov-Prospekt.71.quantum.rn > 85.xxx.xxx.90: tcp=0A= > 18:33:30.010296 IP host52-108-static.49-88-b.business.telecomitalia.it > = 85.xxx.xxx.90: tcp=0A= > 18:33:30.010325 IP 125.Red-88-1-75.dynamicIP.rima-tde.net > 85.xxx.xxx.90= : tcp=0A= >=0A= > i dont know which tool generate those packets.. but as we see i dont see = seq, flag, lenth etc.. just this ouput on tcpdump...=0A= >=0A= > Is there any kernel feature for do NOT process malformed syn packets ??= =0A= =0A= A firewall can block them before the system will see and try to process the= m as incoming traffic.=0A= =0A= Also, running tcpdump with -X will give both hex and ASCII rendition of the= packets, which would be helpful to identify what you mean by "malformed".= =0A= =0A= Regards,=0A= --=0A= -Chuck=0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C>