From owner-freebsd-net Sun Jan 5 14:15:57 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6865437B401 for ; Sun, 5 Jan 2003 14:15:56 -0800 (PST) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CB9843E4A for ; Sun, 5 Jan 2003 14:15:55 -0800 (PST) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.6/8.12.6) with ESMTP id h05MFn1N081922; Sun, 5 Jan 2003 17:15:49 -0500 (EST) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.6/8.12.6/Submit) id h05MFnOf081921; Sun, 5 Jan 2003 17:15:49 -0500 (EST) (envelope-from barney) Date: Sun, 5 Jan 2003 17:15:49 -0500 From: Barney Wolff To: Josh Brooks Cc: Lars Eggert , freebsd-net@FreeBSD.ORG Subject: Re: Need help dealing with (D)DoS attacks (desperately) Message-ID: <20030105221549.GA81793@pit.databus.com> References: <3E18A1BA.8000607@isi.edu> <20030105132545.I80512-100000@mail.econolodgetulsa.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030105132545.I80512-100000@mail.econolodgetulsa.com> User-Agent: Mutt/1.4i X-Scanned-By: MIMEDefang 2.26 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jan 05, 2003 at 01:31:24PM -0800, Josh Brooks wrote: > So, I have 927 ipfw tules in place - but I am guessing that about 800 of > those rules are just "count" rules for me to count bandwidth: > > 001 164994 120444282 count ip from any to 10.10.10.10 > 002 158400 16937232 count ip from 10.10.10.10 to any Much of your problem is that you're running through all the rules on every packet. ipfw keeps going until it hits an allow or deny rule. Since all rules get counted, I'd suggest putting all your denies up front, and then have allow rules, not count rules, with the most heavily used addresses first. That way, many fewer rules should get interpreted for each packet. An even fancier scheme would use skipto and divide up your IP ranges in a binary search. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message