From owner-freebsd-net@FreeBSD.ORG Tue Jun 3 04:15:04 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2100637B401 for ; Tue, 3 Jun 2003 04:15:04 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECF6243FB1 for ; Tue, 3 Jun 2003 04:15:02 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h53BF1Qg049364; Tue, 3 Jun 2003 04:15:01 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h53BF1Co049363; Tue, 3 Jun 2003 04:15:01 -0700 (PDT) (envelope-from rizzo) Date: Tue, 3 Jun 2003 04:15:01 -0700 From: Luigi Rizzo To: Kristian Rask Message-ID: <20030603041501.B49218@xorpc.icir.org> References: <008101c329bf$2a164220$0a01a8c0@example.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <008101c329bf$2a164220$0a01a8c0@example.org>; from krask@isupport.dk on Tue, Jun 03, 2003 at 12:59:06PM +0200 cc: freebsd-net@freebsd.org Subject: Re: Problem w. DDOS and ipfw (5.0-R) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2003 11:15:04 -0000 certainly the box should not die, so there might be a bug in that part of the ipfw code. However, as a general principle, you should avoid to create a setup where dynamic rules are created by incoming traffic, as you are making yourself a victim for DoS attacks. Also, if you are having performance problems, perhaps you should run 4.8 instead of 5.0, and use polling on the "em" side ("xl" does not support it yet). cheers luigi On Tue, Jun 03, 2003 at 12:59:06PM +0200, Kristian Rask wrote: > Hi > > I have a machine running 5.0-R on a 1400 Celeron w. 256Megs > It has an em Intel gigabit interface and an xl 3com nic > > The machine is directly connected to a 100MBit internet link (Fiber w. media converter) > > The machine act as a packetfilter and gateway for a /27 net. > > In the /27 net is two web servers running IIS-5 > > These web servers are subject to an ongoing denial of service attack. > by logging and sorting the output according to SRC IP it becomes very evident who > attacks (large nr. of setups) and who doesnt.. (who are regular users) apparently 100-400+ machines are > hammering at the site and they are occasinally replaced by new machines (IP's). > > How should one go about automating the process of converting the gained knowledge from the logfiles into ipfw rules ? > > if we use "limit-src" the machine dies within ½ a minute w. something like "To many dynamic rules, rebooting in 10 seconds" > > 50-65% of the total load is interrupts... (according to top) > > Any recomendations for NIC's that produces less interrupts due to caching etc ? > > Any other ideas as how to cope, overcome and prepare for massive DDOS attacks are very welcome. > > regards & TIA > > Kristian > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >