it's of course Syn flood with malformed syn packets around 100.000 packet per second with differents IP address.. around 40.000 pps starting input errors CPU cause %100 (NIC uses 8 core with different irq's x8 bus (2.5 GTs) all cpu's %100). also 60.000 pps can't handle it..
But while normal syn flood same equiment can handle around 1Mpps (different IPs) .. its without any firewall software.. just tune some kernel params.. Today i will get tcpdump with -X param.. and i will share with you. I think this problem about those packets process with cpu and CPU raise UP %100 but those are bogus SYN packets.. İ think if bogus syn packets don't process by CPU.. it will be OK.. Regards Seyit Özgür Network Yöneticisi From: Michael Sierchio [mailto:ku...@tenebras.com] Sent: Friday, March 16, 2012 1:21 AM To: Chuck Swiger Cc: Seyit Özgür; freebsd-net@freebsd.org Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release 2012/3/15 Chuck Swiger <cswi...@mac.com> I prefer IPFW myself, but you probably ran out of stateful rule slots. For a high-volume services which is expected to be Internet-reachable (ie, port 80 to a busy webserver), you really just don't want to have stateful rules-- it's too easy to DoS the firewall itself, as you noticed. In any event, you don't need state if you are just blacklisting attack sources. I too prefer ipfw, especially since adding blacklist IP addresses or networks to a table is extremely efficient. You haven't really identified what you mean by "malformed", but maybe you are talking about a SYN flood, in which case make sure that SYN cookies and SYN cache are enabled... I'm still wondering, too. Are the packets malformed, or is this a SYN flood? - M
