From owner-freebsd-net@FreeBSD.ORG Fri Mar 16 09:16:16 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E9D39106564A for ; Fri, 16 Mar 2012 09:16:16 +0000 (UTC) (envelope-from seyit.ozgur@istanbul.net) Received: from spamtrap1.istanbul.net (spamtrap1.istanbul.net [85.111.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id 4DD8B8FC0A for ; Fri, 16 Mar 2012 09:16:15 +0000 (UTC) X-ASG-Debug-ID: 1331889369-0426b062bb213c30001-QdxwpM Received: from GAMMA.magnetdigital.local (gamma.magnetdigital.local [192.168.131.244]) by spamtrap1.istanbul.net with ESMTP id oAzJgnJ1h3zNdx3f; Fri, 16 Mar 2012 11:16:09 +0200 (EET) X-Barracuda-Envelope-From: seyit.ozgur@istanbul.net X-Barracuda-RBL-Trusted-Forwarder: 192.168.131.244 Received: from YUHANNA.magnetdigital.local ([fe80::1058:3088:f9b1:1346]) by GAMMA.magnetdigital.local ([fe80::3cca:d6ef:febb:fafb%17]) with mapi id 14.01.0218.012; Fri, 16 Mar 2012 11:15:19 +0200 From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= X-Barracuda-Apparent-Source-IP: fe80::1058:3088:f9b1:1346 To: Nikolay Denev Thread-Topic: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-ASG-Orig-Subj: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Thread-Index: AQHNAv722OgOvL9cl0SnAaRt5PzT1pZso7Hw Date: Fri, 16 Mar 2012 09:15:19 +0000 Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F7E4@yuhanna.magnetdigital.local> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>, <13511933-562D-4887-951B-5BB01F62AB00@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0@yuhanna.magnetdigital.local> <14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com> In-Reply-To: <14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [192.168.134.34] Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0178_01CD0366.122EFFF0" MIME-Version: 1.0 X-Barracuda-Connect: gamma.magnetdigital.local[192.168.131.244] X-Barracuda-Start-Time: 1331889369 X-Barracuda-URL: http://10.10.140.223:8000/cgi-mod/mark.cgi X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.91360 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-net@freebsd.org" Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2012 09:16:17 -0000 ------=_NextPart_000_0178_01CD0366.122EFFF0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable Here is my=20 bsd# sysctl -a | grep syncache.hashsize=20 net.inet.tcp.syncache.hashsize: 512 bsd# sysctl -a | grep syncache.cachelimit net.inet.tcp.syncache.cachelimit: 15360 bsd# sysctl -a | grep syncache.bucketlimit net.inet.tcp.syncache.bucketlimit: 30 i will incrase hashsize and cachelimit and retest again.. Seyit =D6zg=FCr Network Y=F6neticisi -----Original Message----- From: owner-freebsd-net@freebsd.org = [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Nikolay Denev Sent: Friday, March 16, 2012 12:58 AM To: Seyit =D6zg=FCr Cc: freebsd-net@freebsd.org Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD = 9.0 release On Mar 15, 2012, at 10:40 PM, Seyit =D6zg=FCr wrote: > sori my opinion but i m not a BSD guru.. i just working on BSD like 2 months.. > i know that PF or IPFW isn't build multicore arhitecture... As i know = if my server got on heavy Syn flood traffic PF or IPFW don't enough 1 = core..=20 > i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up syn_cookie start input errors after 600.000 syn packets per second. But while i set off syn cookie protection.. my server can handle much more = syn packets then 600.000..=20 > Also thats why i don't use syncookies too.. > If there is any statefull Firewall software on freeBSD which support multicore process? (you know ?). i m up to set up.. >=20 > i will get tcpdump again with -X param.. then i will post it again.. >=20 > Thanks for your comments.=20 >=20 > ________________________________________ > From: Chuck Swiger [cswiger@mac.com] > Sent: Thursday, March 15, 2012 10:30 PM > To: Seyit =D6zg=FCr > Cc: freebsd-net@freebsd.org > Subject: Re: Malformed syn packet cause %100 cpu and interrupts=20 > FreeBSD 9.0 release >=20 > On Mar 15, 2012, at 1:17 PM, Seyit =D6zg=FCr wrote: >> Thanks for quick reply.. but i don't use firewall. i tried to use = PF.. >> Packer filter stucks up to 100.000 syn packets flooding(on open=20 >> port).. Without packet filter it handle much more syn flooding. Like 1Mpps can handle w/o interrupts that i see on my equiment But in this = case "malformed packets" i got interrupts also input packet error.. cause = %100 cpu.. >> Is there any way to stop them without firewall ? Any rfc kernel = feature can check and stop those bogus packets ? >> Or do i something wrong on PF ? >=20 > I prefer IPFW myself, but you probably ran out of stateful rule slots. For a high-volume services which is expected to be Internet-reachable = (ie, port 80 to a busy webserver), you really just don't want to have = stateful rules-- it's too easy to DoS the firewall itself, as you noticed. In = any event, you don't need state if you are just blacklisting attack sources. >=20 > You haven't really identified what you mean by "malformed", but maybe = you are talking about a SYN flood, in which case make sure that SYN cookies = and SYN cache are enabled... >=20 > Regards, > -- > -Chuck >=20 >=20 In my experience you will endure a lot more SYN flood traffic if you use only syncache, and also increase the syncache sysctls. Sycookies are somewhat more expensive to calculate and they cause 100% = CPU load much sooner. I use : net.inet.tcp.syncache.hashsize=3D2048 net.inet.tcp.syncache.cachelimit=3D61440 net.inet.tcp.syncache.bucketlimit=3D30 Does this works better for you? _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" ------=_NextPart_000_0178_01CD0366.122EFFF0--