Date: Tue, 3 Jun 2003 12:59:06 +0200 From: "Kristian Rask" <krask@isupport.dk> To: <freebsd-net@freebsd.org> Subject: Problem w. DDOS and ipfw (5.0-R) Message-ID: <008101c329bf$2a164220$0a01a8c0@example.org>
index | next in thread | raw e-mail
Hi I have a machine running 5.0-R on a 1400 Celeron w. 256Megs It has an em Intel gigabit interface and an xl 3com nic The machine is directly connected to a 100MBit internet link (Fiber w. media converter) The machine act as a packetfilter and gateway for a /27 net. In the /27 net is two web servers running IIS-5 These web servers are subject to an ongoing denial of service attack. by logging and sorting the output according to SRC IP it becomes very evident who attacks (large nr. of setups) and who doesnt.. (who are regular users) apparently 100-400+ machines are hammering at the site and they are occasinally replaced by new machines (IP's). How should one go about automating the process of converting the gained knowledge from the logfiles into ipfw rules ? if we use "limit-src" the machine dies within ½ a minute w. something like "To many dynamic rules, rebooting in 10 seconds" 50-65% of the total load is interrupts... (according to top) Any recomendations for NIC's that produces less interrupts due to caching etc ? Any other ideas as how to cope, overcome and prepare for massive DDOS attacks are very welcome. regards & TIA Kristianhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008101c329bf$2a164220$0a01a8c0>