Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Mar 2012 13:30:07 -0700
From:      Chuck Swiger <cswiger@mac.com>
To:        =?iso-8859-1?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release
Message-ID:  <13511933-562D-4887-951B-5BB01F62AB00@mac.com>
In-Reply-To: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>
References:  <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 15, 2012, at 1:17 PM, Seyit =D6zg=FCr wrote:
> Thanks for quick reply.. but i don't use firewall. i tried to use PF..=20=

> Packer filter stucks up to 100.000 syn packets flooding(on open =
port).. Without packet filter it handle much more syn flooding. Like =
1Mpps can handle w/o interrupts that i see on my equiment
> But in this case "malformed packets" i got interrupts also input =
packet error.. cause %100 cpu..
> Is there any way to stop them without firewall ? Any rfc kernel =
feature can check and stop those bogus packets ?
> Or do i something wrong on PF ?=20

I prefer IPFW myself, but you probably ran out of stateful rule slots.  =
For a high-volume services which is expected to be Internet-reachable =
(ie, port 80 to a busy webserver), you really just don't want to have =
stateful rules-- it's too easy to DoS the firewall itself, as you =
noticed.  In any event, you don't need state if you are just =
blacklisting attack sources.

You haven't really identified what you mean by "malformed", but maybe =
you are talking about a SYN flood, in which case make sure that SYN =
cookies and SYN cache are enabled...

Regards,
--=20
-Chuck




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13511933-562D-4887-951B-5BB01F62AB00>