From owner-freebsd-net@FreeBSD.ORG  Fri Mar 16 09:16:16 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E9D39106564A
	for <freebsd-net@freebsd.org>; Fri, 16 Mar 2012 09:16:16 +0000 (UTC)
	(envelope-from seyit.ozgur@istanbul.net)
Received: from spamtrap1.istanbul.net (spamtrap1.istanbul.net [85.111.12.35])
	by mx1.freebsd.org (Postfix) with ESMTP id 4DD8B8FC0A
	for <freebsd-net@freebsd.org>; Fri, 16 Mar 2012 09:16:15 +0000 (UTC)
X-ASG-Debug-ID: 1331889369-0426b062bb213c30001-QdxwpM
Received: from GAMMA.magnetdigital.local (gamma.magnetdigital.local
	[192.168.131.244]) by spamtrap1.istanbul.net with ESMTP id
	oAzJgnJ1h3zNdx3f; Fri, 16 Mar 2012 11:16:09 +0200 (EET)
X-Barracuda-Envelope-From: seyit.ozgur@istanbul.net
X-Barracuda-RBL-Trusted-Forwarder: 192.168.131.244
Received: from YUHANNA.magnetdigital.local ([fe80::1058:3088:f9b1:1346]) by
	GAMMA.magnetdigital.local ([fe80::3cca:d6ef:febb:fafb%17]) with mapi id
	14.01.0218.012; Fri, 16 Mar 2012 11:15:19 +0200
From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net>
X-Barracuda-Apparent-Source-IP: fe80::1058:3088:f9b1:1346
To: Nikolay Denev <ndenev@gmail.com>
Thread-Topic: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0
	release
X-ASG-Orig-Subj: RE: Malformed syn packet cause %100 cpu and interrupts
	FreeBSD 9.0 release
Thread-Index: AQHNAv722OgOvL9cl0SnAaRt5PzT1pZso7Hw
Date: Fri, 16 Mar 2012 09:15:19 +0000
Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F7E4@yuhanna.magnetdigital.local>
References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local>
	<38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com>
	<3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>, 
	<13511933-562D-4887-951B-5BB01F62AB00@mac.com>
	<3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0@yuhanna.magnetdigital.local>
	<14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com>
In-Reply-To: <14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.134.34]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
	micalg=SHA1; boundary="----=_NextPart_000_0178_01CD0366.122EFFF0"
MIME-Version: 1.0
X-Barracuda-Connect: gamma.magnetdigital.local[192.168.131.244]
X-Barracuda-Start-Time: 1331889369
X-Barracuda-URL: http://10.10.140.223:8000/cgi-mod/mark.cgi
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No,
	SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.91360
	Rule breakdown below
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0
	release
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Mar 2012 09:16:17 -0000

------=_NextPart_000_0178_01CD0366.122EFFF0
Content-Type: text/plain;
	charset="iso-8859-9"
Content-Transfer-Encoding: quoted-printable

Here is my=20

bsd# sysctl -a | grep syncache.hashsize=20
net.inet.tcp.syncache.hashsize: 512
bsd# sysctl -a | grep syncache.cachelimit
net.inet.tcp.syncache.cachelimit: 15360
bsd# sysctl -a | grep syncache.bucketlimit
net.inet.tcp.syncache.bucketlimit: 30

i will incrase hashsize and cachelimit and retest again..


Seyit =D6zg=FCr
Network Y=F6neticisi


-----Original Message-----
From: owner-freebsd-net@freebsd.org =
[mailto:owner-freebsd-net@freebsd.org]
On Behalf Of Nikolay Denev
Sent: Friday, March 16, 2012 12:58 AM
To: Seyit =D6zg=FCr
Cc: freebsd-net@freebsd.org
Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD =
9.0
release


On Mar 15, 2012, at 10:40 PM, Seyit =D6zg=FCr wrote:

> sori my opinion but i m not a BSD guru.. i just working on BSD like 2
months..
> i know that PF or IPFW isn't build multicore arhitecture... As i know =
if
my server got on heavy Syn flood traffic PF or IPFW don't enough 1 =
core..=20
> i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up
syn_cookie start input errors after 600.000 syn packets per second. But
while i set off syn cookie protection.. my server can handle much more =
syn
packets then 600.000..=20
> Also thats why i don't use syncookies too..
> If there is any statefull Firewall software on freeBSD which support
multicore process? (you know ?). i m up to set up..
>=20
> i will get tcpdump again with -X param.. then i will post it again..
>=20
> Thanks for your comments.=20
>=20
> ________________________________________
> From: Chuck Swiger [cswiger@mac.com]
> Sent: Thursday, March 15, 2012 10:30 PM
> To: Seyit =D6zg=FCr
> Cc: freebsd-net@freebsd.org
> Subject: Re: Malformed syn packet cause %100 cpu and interrupts=20
> FreeBSD 9.0 release
>=20
> On Mar 15, 2012, at 1:17 PM, Seyit =D6zg=FCr wrote:
>> Thanks for quick reply.. but i don't use firewall. i tried to use =
PF..
>> Packer filter stucks up to 100.000 syn packets flooding(on open=20
>> port).. Without packet filter it handle much more syn flooding. Like
1Mpps can handle w/o interrupts that i see on my equiment But in this =
case
"malformed packets" i got interrupts also input packet error.. cause =
%100
cpu..
>> Is there any way to stop them without firewall ? Any rfc kernel =
feature
can check and stop those bogus packets ?
>> Or do i something wrong on PF ?
>=20
> I prefer IPFW myself, but you probably ran out of stateful rule slots.
For a high-volume services which is expected to be Internet-reachable =
(ie,
port 80 to a busy webserver), you really just don't want to have =
stateful
rules-- it's too easy to DoS the firewall itself, as you noticed.  In =
any
event, you don't need state if you are just blacklisting attack sources.
>=20
> You haven't really identified what you mean by "malformed", but maybe =
you
are talking about a SYN flood, in which case make sure that SYN cookies =
and
SYN cache are enabled...
>=20
> Regards,
> --
> -Chuck
>=20
>=20


In my experience you will endure a lot more SYN flood traffic if you use
only syncache, and also increase the syncache sysctls.
Sycookies are somewhat more expensive to calculate and they cause 100% =
CPU
load much sooner.

I use :

net.inet.tcp.syncache.hashsize=3D2048
net.inet.tcp.syncache.cachelimit=3D61440
net.inet.tcp.syncache.bucketlimit=3D30

Does this works better for you?


_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

------=_NextPart_000_0178_01CD0366.122EFFF0--