From owner-freebsd-net@FreeBSD.ORG Fri Mar 16 08:08:50 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B9356106564A for ; Fri, 16 Mar 2012 08:08:50 +0000 (UTC) (envelope-from seyit.ozgur@istanbul.net) Received: from spamtrap.istanbul.net (spamtrap.istanbul.net [85.111.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id CBD108FC12 for ; Fri, 16 Mar 2012 08:08:48 +0000 (UTC) X-ASG-Debug-ID: 1331885324-0426ae63031a7380001-QdxwpM Received: from GAMMA.magnetdigital.local (gamma.magnetdigital.local [192.168.131.244]) by spamtrap.istanbul.net with ESMTP id upIfCKsvdY6GNf5b; Fri, 16 Mar 2012 10:08:44 +0200 (EET) X-Barracuda-Envelope-From: seyit.ozgur@istanbul.net X-Barracuda-RBL-Trusted-Forwarder: 192.168.131.244 Received: from YUHANNA.magnetdigital.local ([fe80::1058:3088:f9b1:1346]) by GAMMA.magnetdigital.local ([fe80::3cca:d6ef:febb:fafb%17]) with mapi id 14.01.0218.012; Fri, 16 Mar 2012 10:07:55 +0200 From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= X-Barracuda-Apparent-Source-IP: fe80::1058:3088:f9b1:1346 To: Michael Sierchio , Chuck Swiger Thread-Topic: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-ASG-Orig-Subj: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Thread-Index: Ac0C5Fxpv2wbk7REQXGSXBWgiq7+JP//5aEAgAAhhBT//+NtgIAAL6YA//9OefA= Date: Fri, 16 Mar 2012 08:07:53 +0000 Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F65C@yuhanna.magnetdigital.local> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local> <13511933-562D-4887-951B-5BB01F62AB00@mac.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [192.168.134.34] Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0157_01CD035C.A6E9D7F0" MIME-Version: 1.0 X-Barracuda-Connect: gamma.magnetdigital.local[192.168.131.244] X-Barracuda-Start-Time: 1331885324 X-Barracuda-URL: http://10.10.140.221:8000/cgi-mod/mark.cgi X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.91356 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-net@freebsd.org" Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2012 08:08:50 -0000 ------=_NextPart_000_0157_01CD035C.A6E9D7F0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable it's of course Syn flood with malformed syn packets around 100.000 = packet per second with differents IP address.. around 40.000 pps starting input errors CPU cause %100 (NIC uses 8 core with different irq's x8 bus (2.5 GTs) all cpu's %100). also 60.000 pps can't handle it..=20 But while normal syn flood same equiment can handle around 1Mpps = (different IPs) .. its without any firewall software.. just tune some kernel = params.. =20 Today i will get tcpdump with -X param.. and i will share with you. =20 I think this problem about those packets process with cpu and CPU raise = UP %100 but those are bogus SYN packets..=20 =DD think if bogus syn packets don't process by CPU.. it will be OK.. =20 Regards =20 Seyit =D6zg=FCr Network Y=F6neticisi =20 From: Michael Sierchio [mailto:kudzu@tenebras.com]=20 Sent: Friday, March 16, 2012 1:21 AM To: Chuck Swiger Cc: Seyit =D6zg=FCr; freebsd-net@freebsd.org Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD = 9.0 release =20 =20 2012/3/15 Chuck Swiger =20 =20 I prefer IPFW myself, but you probably ran out of stateful rule slots. = For a high-volume services which is expected to be Internet-reachable (ie, = port 80 to a busy webserver), you really just don't want to have stateful = rules-- it's too easy to DoS the firewall itself, as you noticed. In any event, = you don't need state if you are just blacklisting attack sources. =20 I too prefer ipfw, especially since adding blacklist IP addresses or networks to a table is extremely efficient. =20 You haven't really identified what you mean by "malformed", but maybe = you are talking about a SYN flood, in which case make sure that SYN cookies = and SYN cache are enabled... =20 I'm still wondering, too. Are the packets malformed, or is this a SYN flood? =20 - M=20 ------=_NextPart_000_0157_01CD035C.A6E9D7F0--