Date: Sun, 29 Feb 2004 01:28:46 -0500 From: Deepak Jain <deepak@ai.net> To: Mike Silbersack <silby@silby.com> Cc: freebsd-hackers@freebsd.org Subject: Re: em0, polling performance, P4 2.8ghz FSB 800mhz Message-ID: <4041869E.2070208@ai.net> In-Reply-To: <20040229001251.Q11460@odysseus.silby.com> References: <FE045D4D9F7AED4CBFF1B3B813C85337045D8307@mail.sandvine.com> <20040229001251.Q11460@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>You could use ipfw to limit the damage of a syn flood, e.g. >>a keep-state rule with a limit of ~2-5 per source IP, lower the >>timeouts, increase the hash buckets in ipfw, etc. This would >>use a mask on src-ip of all bits. >>something like: >>allow tcp from any to any setup limit src-addr 2 >> >>this would only allow 2 concurrent TCP sessions per unique >>source address. Depends on the syn flood you are expecting >>to experience. You could also use dummynet to shape syn >>traffic to a fixed level i suppose. > > > Does that really help? If so, we need to optimize the syncache. :( > I know that if I rate shape the setup traffic, it helps. DJ
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4041869E.2070208>