On Mar 15, 2012, at 10:40 PM, Seyit Özgür wrote: > sori my opinion but i m not a BSD guru.. i just working on BSD like 2 months.. > i know that PF or IPFW isn't build multicore arhitecture... As i know if my > server got on heavy Syn flood traffic PF or IPFW don't enough 1 core.. > i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up > syn_cookie start input errors after 600.000 syn packets per second. But while > i set off syn cookie protection.. my server can handle much more syn packets > then 600.000.. > Also thats why i don't use syncookies too.. > If there is any statefull Firewall software on freeBSD which support > multicore process? (you know ?). i m up to set up.. > > i will get tcpdump again with -X param.. then i will post it again.. > > Thanks for your comments. > > ________________________________________ > From: Chuck Swiger [cswi...@mac.com] > Sent: Thursday, March 15, 2012 10:30 PM > To: Seyit Özgür > Cc: freebsd-net@freebsd.org > Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 > release > > On Mar 15, 2012, at 1:17 PM, Seyit Özgür wrote: >> Thanks for quick reply.. but i don't use firewall. i tried to use PF.. >> Packer filter stucks up to 100.000 syn packets flooding(on open port).. >> Without packet filter it handle much more syn flooding. Like 1Mpps can >> handle w/o interrupts that i see on my equiment >> But in this case "malformed packets" i got interrupts also input packet >> error.. cause %100 cpu.. >> Is there any way to stop them without firewall ? Any rfc kernel feature can >> check and stop those bogus packets ? >> Or do i something wrong on PF ? > > I prefer IPFW myself, but you probably ran out of stateful rule slots. For a > high-volume services which is expected to be Internet-reachable (ie, port 80 > to a busy webserver), you really just don't want to have stateful rules-- > it's too easy to DoS the firewall itself, as you noticed. In any event, you > don't need state if you are just blacklisting attack sources. > > You haven't really identified what you mean by "malformed", but maybe you are > talking about a SYN flood, in which case make sure that SYN cookies and SYN > cache are enabled... > > Regards, > -- > -Chuck > >
In my experience you will endure a lot more SYN flood traffic if you use only syncache, and also increase the syncache sysctls. Sycookies are somewhat more expensive to calculate and they cause 100% CPU load much sooner. I use : net.inet.tcp.syncache.hashsize=2048 net.inet.tcp.syncache.cachelimit=61440 net.inet.tcp.syncache.bucketlimit=30 Does this works better for you? _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
