From owner-freebsd-net@FreeBSD.ORG  Thu Mar 15 20:41:50 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 33958106566B
	for <freebsd-net@freebsd.org>; Thu, 15 Mar 2012 20:41:50 +0000 (UTC)
	(envelope-from seyit.ozgur@istanbul.net)
Received: from spamtrap1.istanbul.net (spamtrap1.istanbul.net [85.111.12.35])
	by mx1.freebsd.org (Postfix) with ESMTP id 7EC898FC0C
	for <freebsd-net@freebsd.org>; Thu, 15 Mar 2012 20:41:49 +0000 (UTC)
X-ASG-Debug-ID: 1331844100-0426b062bb1fab40001-QdxwpM
Received: from GAMMA.magnetdigital.local (gamma.magnetdigital.local
	[192.168.131.244]) by spamtrap1.istanbul.net with ESMTP id
	HufsxjRgc8IQvTZc; Thu, 15 Mar 2012 22:41:40 +0200 (EET)
X-Barracuda-Envelope-From: seyit.ozgur@istanbul.net
X-Barracuda-RBL-Trusted-Forwarder: 192.168.131.244
Received: from YUHANNA.magnetdigital.local ([fe80::1058:3088:f9b1:1346]) by
	GAMMA.magnetdigital.local ([fe80::3cca:d6ef:febb:fafb%17]) with mapi id
	14.01.0218.012; Thu, 15 Mar 2012 22:40:51 +0200
From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net>
X-Barracuda-Apparent-Source-IP: fe80::1058:3088:f9b1:1346
To: Chuck Swiger <cswiger@mac.com>
Thread-Topic: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0
	release
X-ASG-Orig-Subj: RE: Malformed syn packet cause %100 cpu and interrupts
	FreeBSD 9.0 release
Thread-Index: Ac0C5Fxpv2wbk7REQXGSXBWgiq7+JP//5aEAgAAhhBT//+NtgIAAIieX
Date: Thu, 15 Mar 2012 20:40:49 +0000
Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0@yuhanna.magnetdigital.local>
References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local>
	<38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com>
	<3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>,
	<13511933-562D-4887-951B-5BB01F62AB00@mac.com>
In-Reply-To: <13511933-562D-4887-951B-5BB01F62AB00@mac.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.133.66]
Content-Type: text/plain; charset="iso-8859-9"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Barracuda-Connect: gamma.magnetdigital.local[192.168.131.244]
X-Barracuda-Start-Time: 1331844100
X-Barracuda-URL: http://10.10.140.223:8000/cgi-mod/mark.cgi
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No,
	SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.91310
	Rule breakdown below
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0
 release
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 20:41:50 -0000

sori my opinion but i m not a BSD guru.. i just working on BSD like 2 month=
s..=0A=
i know that PF or IPFW isn't build multicore arhitecture... As i know if my=
 server got on heavy Syn flood traffic PF or IPFW don't enough 1 core.. =0A=
i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up syn_co=
okie start input errors after 600.000 syn packets per second. But while i s=
et off syn cookie protection.. my server can handle much more syn packets t=
hen 600.000.. =0A=
Also thats why i don't use syncookies too..=0A=
If there is any statefull Firewall software on freeBSD which support multic=
ore process? (you know ?). i m up to set up..=0A=
=0A=
i will get tcpdump again with -X param.. then i will post it again..=0A=
=0A=
Thanks for your comments. =0A=
 =0A=
________________________________________=0A=
From: Chuck Swiger [cswiger@mac.com]=0A=
Sent: Thursday, March 15, 2012 10:30 PM=0A=
To: Seyit =D6zg=FCr=0A=
Cc: freebsd-net@freebsd.org=0A=
Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0=
 release=0A=
=0A=
On Mar 15, 2012, at 1:17 PM, Seyit =D6zg=FCr wrote:=0A=
> Thanks for quick reply.. but i don't use firewall. i tried to use PF..=0A=
> Packer filter stucks up to 100.000 syn packets flooding(on open port).. W=
ithout packet filter it handle much more syn flooding. Like 1Mpps can handl=
e w/o interrupts that i see on my equiment=0A=
> But in this case "malformed packets" i got interrupts also input packet e=
rror.. cause %100 cpu..=0A=
> Is there any way to stop them without firewall ? Any rfc kernel feature c=
an check and stop those bogus packets ?=0A=
> Or do i something wrong on PF ?=0A=
=0A=
I prefer IPFW myself, but you probably ran out of stateful rule slots.  For=
 a high-volume services which is expected to be Internet-reachable (ie, por=
t 80 to a busy webserver), you really just don't want to have stateful rule=
s-- it's too easy to DoS the firewall itself, as you noticed.  In any event=
, you don't need state if you are just blacklisting attack sources.=0A=
=0A=
You haven't really identified what you mean by "malformed", but maybe you a=
re talking about a SYN flood, in which case make sure that SYN cookies and =
SYN cache are enabled...=0A=
=0A=
Regards,=0A=
--=0A=
-Chuck=0A=
=0A=