From owner-freebsd-net@FreeBSD.ORG Wed Jun 4 03:09:52 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C691E37B404 for ; Wed, 4 Jun 2003 03:09:52 -0700 (PDT) Received: from pasmtp.tele.dk (pasmtp.tele.dk [193.162.159.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id C15A743FB1 for ; Wed, 4 Jun 2003 03:09:51 -0700 (PDT) (envelope-from krask@isupport.dk) Received: from pc100 (0x50a3814c.unknown.tele.dk [80.163.129.76]) by pasmtp.tele.dk (Postfix) with SMTP id 5F8671EC358 for ; Wed, 4 Jun 2003 12:09:50 +0200 (CEST) Message-ID: <002701c32a80$8dd2f8a0$0a01a8c0@example.org> From: "Kristian Rask" To: Date: Wed, 4 Jun 2003 12:03:26 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: Gear for security (Shields up) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jun 2003 10:09:53 -0000 Hi all I'm in the situation that i receive 3000+ setups pr. second (for https) = as a result of a DDOS against some webservers. The webservers (MS IIS) are behind a FreeBSD 5.0-R machine that = functions as a packet filter (ipfw) and gateway. The internet link is a 100MBit fiber w. a media converter connected = directly into the bsd box. At present we have a half automated process of looking at logfiles and = generating ipfw rules to deny the setups (SYN) for=20 The webservers. As of right now we have reduced the troughput to the servers from = approx. 3000 to approx. 400-600 pr. second, the problem rightnow is that = the DDOS attack is dynamic.. new src'es comes in and old ones dies. The = definiton of an attack is simply the number of setups made aginst the = server in a short interval.. humans produce maybe 20-80 setups.. so = anything above 200 is assumed to be part of the DDOS attack. And yes.. = We need to establish new rules very fast.. but this is actually slightly = offtopic..=20 The subject is gear =3D Hardware... we can se that the system (presently = a 1400 Celeron w. 256MB) spends approx. 50% of its time servicing = intrerrupts... from assorted places i have heard the following = statements: - Some fxp's can do "ifconfig fxp0 link0" wich should reduce the number = of interrupts - Gigabit adapters have larger onboard caches and more hardware support = to reduce the amount of interrupts I would very much like to hear ppl's recomendation regarding actual = NIC's that are "more ideal" than others and exactly why they are more = ideal. Also... our only way to know that something is an attack is to measure = the amount of setups pr. unit of time. Any ideas as to how one might measure setups/sec. the easiest way (easy = as in "low load on the machine") We are ofcourse aiming for a fully automated process w. real time = detection and ipfw rule insertion. regards and TIA Kristian