Date: Fri, 16 Mar 2012 09:15:19 +0000 From: =?iso-8859-9?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net> To: Nikolay Denev <ndenev@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Message-ID: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F7E4@yuhanna.magnetdigital.local> In-Reply-To: <14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local>, <13511933-562D-4887-951B-5BB01F62AB00@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F2D0@yuhanna.magnetdigital.local> <14B45EAA-EC95-463B-A4C0-4CE9090FA274@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
------=_NextPart_000_0178_01CD0366.122EFFF0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: quoted-printable Here is my=20 bsd# sysctl -a | grep syncache.hashsize=20 net.inet.tcp.syncache.hashsize: 512 bsd# sysctl -a | grep syncache.cachelimit net.inet.tcp.syncache.cachelimit: 15360 bsd# sysctl -a | grep syncache.bucketlimit net.inet.tcp.syncache.bucketlimit: 30 i will incrase hashsize and cachelimit and retest again.. Seyit =D6zg=FCr Network Y=F6neticisi -----Original Message----- From: owner-freebsd-net@freebsd.org = [mailto:owner-freebsd-net@freebsd.org] On Behalf Of Nikolay Denev Sent: Friday, March 16, 2012 12:58 AM To: Seyit =D6zg=FCr Cc: freebsd-net@freebsd.org Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD = 9.0 release On Mar 15, 2012, at 10:40 PM, Seyit =D6zg=FCr wrote: > sori my opinion but i m not a BSD guru.. i just working on BSD like 2 months.. > i know that PF or IPFW isn't build multicore arhitecture... As i know = if my server got on heavy Syn flood traffic PF or IPFW don't enough 1 = core..=20 > i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up syn_cookie start input errors after 600.000 syn packets per second. But while i set off syn cookie protection.. my server can handle much more = syn packets then 600.000..=20 > Also thats why i don't use syncookies too.. > If there is any statefull Firewall software on freeBSD which support multicore process? (you know ?). i m up to set up.. >=20 > i will get tcpdump again with -X param.. then i will post it again.. >=20 > Thanks for your comments.=20 >=20 > ________________________________________ > From: Chuck Swiger [cswiger@mac.com] > Sent: Thursday, March 15, 2012 10:30 PM > To: Seyit =D6zg=FCr > Cc: freebsd-net@freebsd.org > Subject: Re: Malformed syn packet cause %100 cpu and interrupts=20 > FreeBSD 9.0 release >=20 > On Mar 15, 2012, at 1:17 PM, Seyit =D6zg=FCr wrote: >> Thanks for quick reply.. but i don't use firewall. i tried to use = PF.. >> Packer filter stucks up to 100.000 syn packets flooding(on open=20 >> port).. Without packet filter it handle much more syn flooding. Like 1Mpps can handle w/o interrupts that i see on my equiment But in this = case "malformed packets" i got interrupts also input packet error.. cause = %100 cpu.. >> Is there any way to stop them without firewall ? Any rfc kernel = feature can check and stop those bogus packets ? >> Or do i something wrong on PF ? >=20 > I prefer IPFW myself, but you probably ran out of stateful rule slots. For a high-volume services which is expected to be Internet-reachable = (ie, port 80 to a busy webserver), you really just don't want to have = stateful rules-- it's too easy to DoS the firewall itself, as you noticed. In = any event, you don't need state if you are just blacklisting attack sources. >=20 > You haven't really identified what you mean by "malformed", but maybe = you are talking about a SYN flood, in which case make sure that SYN cookies = and SYN cache are enabled... >=20 > Regards, > -- > -Chuck >=20 >=20 In my experience you will endure a lot more SYN flood traffic if you use only syncache, and also increase the syncache sysctls. Sycookies are somewhat more expensive to calculate and they cause 100% = CPU load much sooner. I use : net.inet.tcp.syncache.hashsize=3D2048 net.inet.tcp.syncache.cachelimit=3D61440 net.inet.tcp.syncache.bucketlimit=3D30 Does this works better for you? _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" ------=_NextPart_000_0178_01CD0366.122EFFF0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3807CE6F3BF4B04EB897F4EBF2D258CE5C05F7E4>