From owner-freebsd-net@FreeBSD.ORG Thu Mar 15 23:20:42 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E711C106566B for ; Thu, 15 Mar 2012 23:20:41 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9F53E8FC1D for ; Thu, 15 Mar 2012 23:20:41 +0000 (UTC) Received: by yhgm50 with SMTP id m50so4451674yhg.13 for ; Thu, 15 Mar 2012 16:20:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=MTA8rAd2CBjqF2WpU5SClO39I+JKU87rlrlMEYu9IzQ=; b=S9lSLn1/mXS7pr+u2uA1jBatTA9qHMoS3nea9n9GC2NXNDtKBV8Q9VtKsXgZZK7sr4 uMYClf2tjm6AqPpc0paB+2N+souZBxCU9xiYStIEgb4jUYRSZV9Ljahap0rOMHcS0T0e JxVcMFzjoTFGTCek6d9qubrIcZvsfmgfbW/8Kync7QRqVhfBpUoJ+p5bKgLbvabWO7Y9 9C0Xheh3LzrXBBokrCzCxxkDj1JgH2zX8xU7dgW5Qci9vqVuPY8bdRnrerdTFA5y0iqV AP7EBMnGJTdtfy7d2q5h6XQEyAAK9tK6KJbJhCzLhUmFhUtZOBLGj2z8SrGZ+JFoE+8R ebew== MIME-Version: 1.0 Received: by 10.60.4.105 with SMTP id j9mr545234oej.29.1331853640980; Thu, 15 Mar 2012 16:20:40 -0700 (PDT) Received: by 10.60.49.164 with HTTP; Thu, 15 Mar 2012 16:20:40 -0700 (PDT) In-Reply-To: <13511933-562D-4887-951B-5BB01F62AB00@mac.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local> <13511933-562D-4887-951B-5BB01F62AB00@mac.com> Date: Thu, 15 Mar 2012 16:20:40 -0700 Message-ID: From: Michael Sierchio To: Chuck Swiger X-Gm-Message-State: ALoCoQmwuVsHCh+oDUwZV/6YY2V5ZsJXvGH3HTA446Fk4aUb+n56c6xqxt1ceJSKtlcXLjpxe/rM Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-net@freebsd.org" , =?ISO-8859-1?Q?Seyit_=D6zg=FCr?= Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 23:20:42 -0000 2012/3/15 Chuck Swiger I prefer IPFW myself, but you probably ran out of stateful rule slots. For > a high-volume services which is expected to be Internet-reachable (ie, port > 80 to a busy webserver), you really just don't want to have stateful > rules-- it's too easy to DoS the firewall itself, as you noticed. In any > event, you don't need state if you are just blacklisting attack sources. > I too prefer ipfw, especially since adding blacklist IP addresses or networks to a table is extremely efficient. > You haven't really identified what you mean by "malformed", but maybe you > are talking about a SYN flood, in which case make sure that SYN cookies and > SYN cache are enabled... I'm still wondering, too. Are the packets malformed, or is this a SYN flood? - M