Date: Thu, 15 Mar 2012 16:20:40 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Chuck Swiger <cswiger@mac.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, =?ISO-8859-1?Q?Seyit_=D6zg=FCr?= <seyit.ozgur@istanbul.net> Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release Message-ID: <CAHu1Y71G-bpEhkLGimpNyM5GGtuUaGqdW7fM_tTK0_wKXFQqNQ@mail.gmail.com> In-Reply-To: <13511933-562D-4887-951B-5BB01F62AB00@mac.com> References: <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F221@yuhanna.magnetdigital.local> <38FA7BAB-AC2B-4515-85CF-27F77C3F4313@mac.com> <3807CE6F3BF4B04EB897F4EBF2D258CE5C05F28C@yuhanna.magnetdigital.local> <13511933-562D-4887-951B-5BB01F62AB00@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2012/3/15 Chuck Swiger <cswiger@mac.com> I prefer IPFW myself, but you probably ran out of stateful rule slots. For > a high-volume services which is expected to be Internet-reachable (ie, port > 80 to a busy webserver), you really just don't want to have stateful > rules-- it's too easy to DoS the firewall itself, as you noticed. In any > event, you don't need state if you are just blacklisting attack sources. > I too prefer ipfw, especially since adding blacklist IP addresses or networks to a table is extremely efficient. > You haven't really identified what you mean by "malformed", but maybe you > are talking about a SYN flood, in which case make sure that SYN cookies and > SYN cache are enabled... I'm still wondering, too. Are the packets malformed, or is this a SYN flood? - M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71G-bpEhkLGimpNyM5GGtuUaGqdW7fM_tTK0_wKXFQqNQ>