Date: Tue, 3 Jun 2003 12:59:06 +0200 From: "Kristian Rask" <krask@isupport.dk> To: <freebsd-net@freebsd.org> Subject: Problem w. DDOS and ipfw (5.0-R) Message-ID: <008101c329bf$2a164220$0a01a8c0@example.org>
next in thread | raw e-mail | index | archive | help
Hi I have a machine running 5.0-R on a 1400 Celeron w. 256Megs=20 It has an em Intel gigabit interface and an xl 3com nic The machine is directly connected to a 100MBit internet link (Fiber w. = media converter) The machine act as a packetfilter and gateway for a /27 net. In the /27 net is two web servers running IIS-5 These web servers are subject to an ongoing denial of service attack. by logging and sorting the output according to SRC IP it becomes very = evident who attacks (large nr. of setups) and who doesnt.. (who are regular users) = apparently 100-400+ machines are=20 hammering at the site and they are occasinally replaced by new machines = (IP's). How should one go about automating the process of converting the gained = knowledge from the logfiles into ipfw rules ? if we use "limit-src" the machine dies within =BD a minute w. something = like "To many dynamic rules, rebooting in 10 seconds"=20 50-65% of the total load is interrupts... (according to top) Any recomendations for NIC's that produces less interrupts due to = caching etc ? Any other ideas as how to cope, overcome and prepare for massive DDOS = attacks are very welcome. regards & TIA Kristian =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008101c329bf$2a164220$0a01a8c0>