Date: Fri, 16 Mar 2012 09:15:19 +0000 From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net> To: Nikolay Denev <ndenev@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F7E4@yuhanna.magnetdigital.local> In-Reply-To: <14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>, <13511933-562D-4887-951B-5BB01F62AB00@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0@yuhanna.magnetdigital.local> <14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Here is my bsd# sysctl -a | grep syncache.hashsize net.inet.tcp.syncache.hashsize: 512 bsd# sysctl -a | grep syncache.cachelimit net.inet.tcp.syncache.cachelimit: 15360 bsd# sysctl -a | grep syncache.bucketlimit net.inet.tcp.syncache.bucketlimit: 30 i will incrase hashsize and cachelimit and retest again.. Seyit Özgür Network Yöneticisi -----Original Message----- From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Nikolay Denev Sent: Friday, March 16, 2012 12:58 AM To: Seyit Özgür Cc: freebsd-net@freebsd.org Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release On Mar 15, 2012, at 10:40 PM, Seyit Özgür wrote: > sori my opinion but i m not a BSD guru.. i just working on BSD like 2 months.. > i know that PF or IPFW isn't build multicore arhitecture... As i know if my server got on heavy Syn flood traffic PF or IPFW don't enough 1 core.. > i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up syn_cookie start input errors after 600.000 syn packets per second. But while i set off syn cookie protection.. my server can handle much more syn packets then 600.000.. > Also thats why i don't use syncookies too.. > If there is any statefull Firewall software on freeBSD which support multicore process? (you know ?). i m up to set up.. > > i will get tcpdump again with -X param.. then i will post it again.. > > Thanks for your comments. > > ________________________________________ > From: Chuck Swiger [cswiger@mac.com] > Sent: Thursday, March 15, 2012 10:30 PM > To: Seyit Özgür > Cc: freebsd-net@freebsd.org > Subject: Re: Malformed syn packet cause %100 cpu and interrupts > FreeBSD 9.0 release > > On Mar 15, 2012, at 1:17 PM, Seyit Özgür wrote: >> Thanks for quick reply.. but i don't use firewall. i tried to use PF.. >> Packer filter stucks up to 100.000 syn packets flooding(on open >> port).. Without packet filter it handle much more syn flooding. Like 1Mpps can handle w/o interrupts that i see on my equiment But in this case "malformed packets" i got interrupts also input packet error.. cause %100 cpu.. >> Is there any way to stop them without firewall ? Any rfc kernel feature can check and stop those bogus packets ? >> Or do i something wrong on PF ? > > I prefer IPFW myself, but you probably ran out of stateful rule slots. For a high-volume services which is expected to be Internet-reachable (ie, port 80 to a busy webserver), you really just don't want to have stateful rules-- it's too easy to DoS the firewall itself, as you noticed. In any event, you don't need state if you are just blacklisting attack sources. > > You haven't really identified what you mean by "malformed", but maybe you are talking about a SYN flood, in which case make sure that SYN cookies and SYN cache are enabled... > > Regards, > -- > -Chuck > > In my experience you will endure a lot more SYN flood traffic if you use only syncache, and also increase the syncache sysctls. Sycookies are somewhat more expensive to calculate and they cause 100% CPU load much sooner. I use : net.inet.tcp.syncache.hashsize=2048 net.inet.tcp.syncache.cachelimit=61440 net.inet.tcp.syncache.bucketlimit=30 Does this works better for you? _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3807CE6F3BF4B04EB897F4EBF2D258CE5C05F7E4>