Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Mar 2012 16:20:40 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        Chuck Swiger <cswiger@mac.com>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, =?ISO-8859-1?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net>
Subject:   Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release
Message-ID:  <CAHu1Y71G-bpEhkLGimpNyM5GGtuUaGqdW7fM_tTK0_wKXFQqNQ@mail.gmail.com>
In-Reply-To: <13511933-562D-4887-951B-5BB01F62AB00@mac.com>
References:  <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local> <13511933-562D-4887-951B-5BB01F62AB00@mac.com>

next in thread | previous in thread | raw e-mail | index | archive | help
2012/3/15 Chuck Swiger <cswiger@mac.com>

I prefer IPFW myself, but you probably ran out of stateful rule slots.  For
> a high-volume services which is expected to be Internet-reachable (ie, port
> 80 to a busy webserver), you really just don't want to have stateful
> rules-- it's too easy to DoS the firewall itself, as you noticed.  In any
> event, you don't need state if you are just blacklisting attack sources.
>

I too prefer ipfw, especially since adding blacklist IP addresses or
networks to a table is extremely efficient.


> You haven't really identified what you mean by "malformed", but maybe you
> are talking about a SYN flood, in which case make sure that SYN cookies and
> SYN cache are enabled...


I'm still wondering, too.  Are the packets malformed, or is this a SYN
flood?

- M



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71G-bpEhkLGimpNyM5GGtuUaGqdW7fM_tTK0_wKXFQqNQ>