Date: Fri, 16 Mar 2012 08:07:53 +0000 From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net> To: Michael Sierchio <kudzu@tenebras.com>, Chuck Swiger <cswiger@mac.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F65C@yuhanna.magnetdigital.local> In-Reply-To: <CAHu1Y71G-bpEhkLGimpNyM5GGtuUaGqdW7fM_tTK0_wKXFQqNQ@mail.gmail.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local> <13511933-562D-4887-951B-5BB01F62AB00@mac.com> <CAHu1Y71G-bpEhkLGimpNyM5GGtuUaGqdW7fM_tTK0_wKXFQqNQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_NextPart_000_0157_01CD035C.A6E9D7F0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable it's of course Syn flood with malformed syn packets around 100.000 = packet per second with differents IP address.. around 40.000 pps starting input errors CPU cause %100 (NIC uses 8 core with different irq's x8 bus (2.5 GTs) all cpu's %100). also 60.000 pps can't handle it..=20 But while normal syn flood same equiment can handle around 1Mpps = (different IPs) .. its without any firewall software.. just tune some kernel = params.. =20 Today i will get tcpdump with -X param.. and i will share with you. =20 I think this problem about those packets process with cpu and CPU raise = UP %100 but those are bogus SYN packets..=20 =DD think if bogus syn packets don't process by CPU.. it will be OK.. =20 Regards =20 Seyit =D6zg=FCr Network Y=F6neticisi =20 From: Michael Sierchio [mailto:kudzu@tenebras.com]=20 Sent: Friday, March 16, 2012 1:21 AM To: Chuck Swiger Cc: Seyit =D6zg=FCr; freebsd-net@freebsd.org Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD = 9.0 release =20 =20 2012/3/15 Chuck Swiger <cswiger@mac.com>=20 =20 I prefer IPFW myself, but you probably ran out of stateful rule slots. = For a high-volume services which is expected to be Internet-reachable (ie, = port 80 to a busy webserver), you really just don't want to have stateful = rules-- it's too easy to DoS the firewall itself, as you noticed. In any event, = you don't need state if you are just blacklisting attack sources. =20 I too prefer ipfw, especially since adding blacklist IP addresses or networks to a table is extremely efficient. =20 You haven't really identified what you mean by "malformed", but maybe = you are talking about a SYN flood, in which case make sure that SYN cookies = and SYN cache are enabled... =20 I'm still wondering, too. Are the packets malformed, or is this a SYN flood? =20 - M=20 ------=_NextPart_000_0157_01CD035C.A6E9D7F0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3807CE6F3BF4B04EB897F4EBF2D258CE5C05F65C>