From owner-freebsd-net@FreeBSD.ORG Tue Jun 3 04:05:32 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA54337B401 for ; Tue, 3 Jun 2003 04:05:32 -0700 (PDT) Received: from pasmtp.tele.dk (pasmtp.tele.dk [193.162.159.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id C681943FA3 for ; Tue, 3 Jun 2003 04:05:31 -0700 (PDT) (envelope-from krask@isupport.dk) Received: from pc100 (0x50a3814c.unknown.tele.dk [80.163.129.76]) by pasmtp.tele.dk (Postfix) with SMTP id 727581EC3B2 for ; Tue, 3 Jun 2003 13:05:30 +0200 (CEST) Message-ID: <008101c329bf$2a164220$0a01a8c0@example.org> From: "Kristian Rask" To: Date: Tue, 3 Jun 2003 12:59:06 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: Problem w. DDOS and ipfw (5.0-R) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2003 11:05:33 -0000 Hi I have a machine running 5.0-R on a 1400 Celeron w. 256Megs=20 It has an em Intel gigabit interface and an xl 3com nic The machine is directly connected to a 100MBit internet link (Fiber w. = media converter) The machine act as a packetfilter and gateway for a /27 net. In the /27 net is two web servers running IIS-5 These web servers are subject to an ongoing denial of service attack. by logging and sorting the output according to SRC IP it becomes very = evident who attacks (large nr. of setups) and who doesnt.. (who are regular users) = apparently 100-400+ machines are=20 hammering at the site and they are occasinally replaced by new machines = (IP's). How should one go about automating the process of converting the gained = knowledge from the logfiles into ipfw rules ? if we use "limit-src" the machine dies within =BD a minute w. something = like "To many dynamic rules, rebooting in 10 seconds"=20 50-65% of the total load is interrupts... (according to top) Any recomendations for NIC's that produces less interrupts due to = caching etc ? Any other ideas as how to cope, overcome and prepare for massive DDOS = attacks are very welcome. regards & TIA Kristian =20