From owner-freebsd-net@FreeBSD.ORG Thu Mar 15 21:30:34 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 605E6106566B for ; Thu, 15 Mar 2012 21:30:34 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout024.mac.com (asmtpout024.mac.com [17.148.16.99]) by mx1.freebsd.org (Postfix) with ESMTP id 46D138FC0C for ; Thu, 15 Mar 2012 21:30:34 +0000 (UTC) MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Received: from cswiger1.apple.com (unknown [17.209.4.71]) by asmtp024.mac.com (Oracle Communications Messaging Server 7u4-23.01 (7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPSA id <0M0Y00MZQ0Y7YX20@asmtp024.mac.com> for freebsd-net@freebsd.org; Thu, 15 Mar 2012 13:30:08 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.6.7498,1.0.260,0.0.0000 definitions=2012-03-15_04:2012-03-15, 2012-03-14, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000 definitions=main-1203150216 From: Chuck Swiger In-reply-to: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local> Date: Thu, 15 Mar 2012 13:30:07 -0700 Content-transfer-encoding: quoted-printable Message-id: <13511933-562D-4887-951B-5BB01F62AB00@mac.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local> To: =?iso-8859-1?Q?Seyit_=D6zg=FCr?= X-Mailer: Apple Mail (2.1084) Cc: "freebsd-net@freebsd.org" Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 21:30:34 -0000 On Mar 15, 2012, at 1:17 PM, Seyit =D6zg=FCr wrote: > Thanks for quick reply.. but i don't use firewall. i tried to use PF..=20= > Packer filter stucks up to 100.000 syn packets flooding(on open = port).. Without packet filter it handle much more syn flooding. Like = 1Mpps can handle w/o interrupts that i see on my equiment > But in this case "malformed packets" i got interrupts also input = packet error.. cause %100 cpu.. > Is there any way to stop them without firewall ? Any rfc kernel = feature can check and stop those bogus packets ? > Or do i something wrong on PF ?=20 I prefer IPFW myself, but you probably ran out of stateful rule slots. = For a high-volume services which is expected to be Internet-reachable = (ie, port 80 to a busy webserver), you really just don't want to have = stateful rules-- it's too easy to DoS the firewall itself, as you = noticed. In any event, you don't need state if you are just = blacklisting attack sources. You haven't really identified what you mean by "malformed", but maybe = you are talking about a SYN flood, in which case make sure that SYN = cookies and SYN cache are enabled... Regards, --=20 -Chuck