From owner-freebsd-net  Sun Jan  5 14:18: 8 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B9A2F37B401
	for <freebsd-net@FreeBSD.ORG>; Sun,  5 Jan 2003 14:18:07 -0800 (PST)
Received: from mail.econolodgetulsa.com (mail.econolodgetulsa.com [198.78.66.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5D90743EA9
	for <freebsd-net@FreeBSD.ORG>; Sun,  5 Jan 2003 14:18:07 -0800 (PST)
	(envelope-from user@mail.econolodgetulsa.com)
Received: from mail (user@mail [198.78.66.163])
	by mail.econolodgetulsa.com (8.12.3/8.12.3) with ESMTP id h05MI7Zb057420;
	Sun, 5 Jan 2003 14:18:07 -0800 (PST)
	(envelope-from user@mail.econolodgetulsa.com)
Date: Sun, 5 Jan 2003 14:18:07 -0800 (PST)
From: Josh Brooks <user@mail.econolodgetulsa.com>
To: Barney Wolff <barney@pit.databus.com>
Cc: Lars Eggert <larse@ISI.EDU>, <freebsd-net@FreeBSD.ORG>
Subject: Re: Need help dealing with (D)DoS attacks (desperately)
In-Reply-To: <20030105221549.GA81793@pit.databus.com>
Message-ID: <20030105141736.C80512-100000@mail.econolodgetulsa.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


Alternatively, is getting a much faster CPU (p3 1.6g ?) a "big hammer"
that solves problems related to the number of rules being parsed for each
packet ?

Just curious.

On Sun, 5 Jan 2003, Barney Wolff wrote:

> On Sun, Jan 05, 2003 at 01:31:24PM -0800, Josh Brooks wrote:
> > So, I have 927 ipfw tules in place - but I am guessing that about 800 of
> > those rules are just "count" rules for me to count bandwidth:
> >
> > 001 164994 120444282 count ip from any to 10.10.10.10
> > 002 158400 16937232 count ip from 10.10.10.10 to any
>
> Much of your problem is that you're running through all the rules on
> every packet.  ipfw keeps going until it hits an allow or deny rule.
> Since all rules get counted, I'd suggest putting all your denies up
> front, and then have allow rules, not count rules, with the most
> heavily used addresses first.  That way, many fewer rules should get
> interpreted for each packet.  An even fancier scheme would use skipto
> and divide up your IP ranges in a binary search.
>
> --
> Barney Wolff         http://www.databus.com/bwresume.pdf
> I'm available by contract or FT, in the NYC metro area or via the 'Net.
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message