From owner-freebsd-net  Sat Jan 11 16:53:47 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AD63937B401
	for <freebsd-net@FreeBSD.ORG>; Sat, 11 Jan 2003 16:53:46 -0800 (PST)
Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7EAAB43EB2
	for <freebsd-net@FreeBSD.ORG>; Sat, 11 Jan 2003 16:53:45 -0800 (PST)
	(envelope-from babolo@cicuta.babolo.ru)
Received: (qmail 66702 invoked from network); 12 Jan 2003 01:07:09 -0000
Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160)
  by ints.mail.pike.ru with SMTP; 12 Jan 2003 01:07:09 -0000
Received: (nullmailer pid 69074 invoked by uid 136);
	Sun, 12 Jan 2003 00:55:01 -0000
Subject: Re: What is my next step as a script kiddie ? (DDoS)
X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1
In-Reply-To: <20030111150725.E78856-100000@mail.econolodgetulsa.com>
To: Josh Brooks <user@mail.econolodgetulsa.com>
Date: Sun, 12 Jan 2003 03:55:01 +0300 (MSK)
From: "."@babolo.ru
Cc: Richard A Steenbergen <ras@e-gerbil.net>, freebsd-net@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL99b (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-Id: <1042332901.347040.69073.nullmailer@cicuta.babolo.ru>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

> Thanks for your help - two last questions regarding this:
> 
> 1. On a FreeBSD router/firewall, does it take more processing power to
> respond to (and reset) a SYN to a target IP:port that is nonexistent than
> it does to respond to a target IP:port that is in heavy use ?
> 
> that is, is there some caching mechanism in use that makes incoming DoS
> packets to _already busy_ IP:ports "cost less" in terms of processor than
> SYN packets to IP:ports that don't exist ?  Just curious.
I think (when looking for my routers) that exact ipfw rules
have much more influence on CPU usage.

But _why_ ever your router responds?
Just drop everything come to router with
dst == any of router IP exept some ICMP.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message