Date: Wed, 4 Jun 2003 12:03:26 +0200 From: "Kristian Rask" <krask@isupport.dk> To: <freebsd-net@freebsd.org> Subject: Gear for security (Shields up) Message-ID: <002701c32a80$8dd2f8a0$0a01a8c0@example.org>
next in thread | raw e-mail | index | archive | help
Hi all I'm in the situation that i receive 3000+ setups pr. second (for https) = as a result of a DDOS against some webservers. The webservers (MS IIS) are behind a FreeBSD 5.0-R machine that = functions as a packet filter (ipfw) and gateway. The internet link is a 100MBit fiber w. a media converter connected = directly into the bsd box. At present we have a half automated process of looking at logfiles and = generating ipfw rules to deny the setups (SYN) for=20 The webservers. As of right now we have reduced the troughput to the servers from = approx. 3000 to approx. 400-600 pr. second, the problem rightnow is that = the DDOS attack is dynamic.. new src'es comes in and old ones dies. The = definiton of an attack is simply the number of setups made aginst the = server in a short interval.. humans produce maybe 20-80 setups.. so = anything above 200 is assumed to be part of the DDOS attack. And yes.. = We need to establish new rules very fast.. but this is actually slightly = offtopic..=20 The subject is gear =3D Hardware... we can se that the system (presently = a 1400 Celeron w. 256MB) spends approx. 50% of its time servicing = intrerrupts... from assorted places i have heard the following = statements: - Some fxp's can do "ifconfig fxp0 link0" wich should reduce the number = of interrupts - Gigabit adapters have larger onboard caches and more hardware support = to reduce the amount of interrupts I would very much like to hear ppl's recomendation regarding actual = NIC's that are "more ideal" than others and exactly why they are more = ideal. Also... our only way to know that something is an attack is to measure = the amount of setups pr. unit of time. Any ideas as to how one might measure setups/sec. the easiest way (easy = as in "low load on the machine") We are ofcourse aiming for a fully automated process w. real time = detection and ipfw rule insertion. regards and TIA Kristian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002701c32a80$8dd2f8a0$0a01a8c0>