Date: Sun, 5 Jan 2003 14:18:07 -0800 (PST) From: Josh Brooks <user@mail.econolodgetulsa.com> To: Barney Wolff <barney@pit.databus.com> Cc: Lars Eggert <larse@ISI.EDU>, <freebsd-net@FreeBSD.ORG> Subject: Re: Need help dealing with (D)DoS attacks (desperately) Message-ID: <20030105141736.C80512-100000@mail.econolodgetulsa.com> In-Reply-To: <20030105221549.GA81793@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Alternatively, is getting a much faster CPU (p3 1.6g ?) a "big hammer" that solves problems related to the number of rules being parsed for each packet ? Just curious. On Sun, 5 Jan 2003, Barney Wolff wrote: > On Sun, Jan 05, 2003 at 01:31:24PM -0800, Josh Brooks wrote: > > So, I have 927 ipfw tules in place - but I am guessing that about 800 of > > those rules are just "count" rules for me to count bandwidth: > > > > 001 164994 120444282 count ip from any to 10.10.10.10 > > 002 158400 16937232 count ip from 10.10.10.10 to any > > Much of your problem is that you're running through all the rules on > every packet. ipfw keeps going until it hits an allow or deny rule. > Since all rules get counted, I'd suggest putting all your denies up > front, and then have allow rules, not count rules, with the most > heavily used addresses first. That way, many fewer rules should get > interpreted for each packet. An even fancier scheme would use skipto > and divide up your IP ranges in a binary search. > > -- > Barney Wolff http://www.databus.com/bwresume.pdf > I'm available by contract or FT, in the NYC metro area or via the 'Net. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030105141736.C80512-100000>