Re: Problem w. DDOS and ipfw (5.0-R)

Tue, 03 Jun 2003 21:22:13 -0700 

certainly the box should not die, so there might be a bug in that part
of the ipfw code.
However, as a general principle, you should avoid to create a setup where
dynamic rules are created by incoming traffic, as you are making
yourself a victim for DoS attacks.

Also, if you are having performance problems, perhaps you should
run 4.8 instead of 5.0, and use polling on the "em" side ("xl" does
not support it yet).

        cheers
        luigi

On Tue, Jun 03, 2003 at 12:59:06PM +0200, Kristian Rask wrote:
> Hi
> 
> I have a machine running 5.0-R on a 1400 Celeron w. 256Megs 
> It has an em Intel gigabit interface and an xl 3com nic
> 
> The machine is directly connected to a 100MBit internet link (Fiber w. media 
> converter)
> 
> The machine act as a packetfilter and gateway for a /27 net.
> 
> In the /27 net is two web servers running IIS-5
> 
> These web servers are subject to an ongoing denial of service attack.
> by logging and sorting the output according to SRC IP it becomes very evident who
> attacks (large nr. of setups) and who doesnt.. (who are regular users) apparently 
> 100-400+ machines are 
> hammering at the site and they are occasinally replaced by new machines (IP's).
> 
> How should one go about automating the process of converting the gained knowledge 
> from the logfiles into ipfw rules ?
> 
> if we use "limit-src" the machine dies within � a minute w. something like "To many 
> dynamic rules, rebooting in 10 seconds" 
> 
> 50-65% of the total load is interrupts... (according to top)
> 
> Any recomendations for NIC's that produces less interrupts due to caching etc ?
> 
> Any other ideas as how to cope, overcome and prepare for massive DDOS attacks are 
> very welcome.
> 
> regards & TIA
> 
> Kristian
>  
> 
> _______________________________________________
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
> 
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to