From owner-freebsd-net@FreeBSD.ORG Thu Mar 15 22:57:40 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C98E106566B for ; Thu, 15 Mar 2012 22:57:40 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id CE0F78FC1F for ; Thu, 15 Mar 2012 22:57:39 +0000 (UTC) Received: by wern13 with SMTP id n13so4415055wer.13 for ; Thu, 15 Mar 2012 15:57:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=pbmD/YeH2FfLBsTrG5U5IB5tC9E+kXY28Svt+EohFP8=; b=XP3bf3fACs6Qj7VRPlNQMcAZUrIrDh2/aCDz4JpAmoatCiRBDrGlVh/K4UvrN53GnX od8SDfKNY/NdGvrnICMsJHhRD6NloisFEzvgXmvx+GUYOofw/S8zZoJXkKHPyJLXKc3t 0lwF1h15LWbxW5k9yhct3bPlxIe4aeojg7XpAyttuVvqH6kRejo3LjWvIjsbms+YH5iy 5qz7ImXRA72yFssfmD6bJLMDARIEqmxPU2dVGblez/mj3JDqOu7tEHorXaAlF2mvvJoF uOmIwrAwE8SxgZbPXJIjMmBEprgeCOk1bjTDqTmeYho+IVW1NYqTQ4NvhO3cJtT1o3ms fOPg== Received: by 10.216.144.138 with SMTP id n10mr209754wej.56.1331852258945; Thu, 15 Mar 2012 15:57:38 -0700 (PDT) Received: from imba-brutale.totalterror.net ([93.152.152.135]) by mx.google.com with ESMTPS id gp8sm8769155wib.5.2012.03.15.15.57.37 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 15 Mar 2012 15:57:37 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=iso-8859-9 From: Nikolay Denev In-Reply-To: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0@yuhanna.magnetdigital.local> Date: Fri, 16 Mar 2012 00:57:36 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>, <13511933-562D-4887-951B-5BB01F62AB00@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0@yuhanna.magnetdigital.local> To: =?iso-8859-1?Q?Seyit_=D6zg=FCr?= X-Mailer: Apple Mail (2.1257) Cc: "freebsd-net@freebsd.org" Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 22:57:40 -0000 On Mar 15, 2012, at 10:40 PM, Seyit =D6zg=FCr wrote: > sori my opinion but i m not a BSD guru.. i just working on BSD like 2 = months.. > i know that PF or IPFW isn't build multicore arhitecture... As i know = if my server got on heavy Syn flood traffic PF or IPFW don't enough 1 = core..=20 > i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up = syn_cookie start input errors after 600.000 syn packets per second. But = while i set off syn cookie protection.. my server can handle much more = syn packets then 600.000..=20 > Also thats why i don't use syncookies too.. > If there is any statefull Firewall software on freeBSD which support = multicore process? (you know ?). i m up to set up.. >=20 > i will get tcpdump again with -X param.. then i will post it again.. >=20 > Thanks for your comments.=20 >=20 > ________________________________________ > From: Chuck Swiger [cswiger@mac.com] > Sent: Thursday, March 15, 2012 10:30 PM > To: Seyit =D6zg=FCr > Cc: freebsd-net@freebsd.org > Subject: Re: Malformed syn packet cause %100 cpu and interrupts = FreeBSD 9.0 release >=20 > On Mar 15, 2012, at 1:17 PM, Seyit =D6zg=FCr wrote: >> Thanks for quick reply.. but i don't use firewall. i tried to use = PF.. >> Packer filter stucks up to 100.000 syn packets flooding(on open = port).. Without packet filter it handle much more syn flooding. Like = 1Mpps can handle w/o interrupts that i see on my equiment >> But in this case "malformed packets" i got interrupts also input = packet error.. cause %100 cpu.. >> Is there any way to stop them without firewall ? Any rfc kernel = feature can check and stop those bogus packets ? >> Or do i something wrong on PF ? >=20 > I prefer IPFW myself, but you probably ran out of stateful rule slots. = For a high-volume services which is expected to be Internet-reachable = (ie, port 80 to a busy webserver), you really just don't want to have = stateful rules-- it's too easy to DoS the firewall itself, as you = noticed. In any event, you don't need state if you are just = blacklisting attack sources. >=20 > You haven't really identified what you mean by "malformed", but maybe = you are talking about a SYN flood, in which case make sure that SYN = cookies and SYN cache are enabled... >=20 > Regards, > -- > -Chuck >=20 >=20 In my experience you will endure a lot more SYN flood traffic if you use = only syncache, and also increase the syncache sysctls. Sycookies are somewhat more expensive to calculate and they cause 100% = CPU load much sooner. I use : net.inet.tcp.syncache.hashsize=3D2048 net.inet.tcp.syncache.cachelimit=3D61440 net.inet.tcp.syncache.bucketlimit=3D30 Does this works better for you?