em0, polling performance, P4 2.8ghz FSB 800mhz

Don Bowman don at sandvine.com
Sun Feb 29 08:16:21 PST 2004

From: Mike Silbersack [mailto:silby at silby.com]
> On Sat, 28 Feb 2004, Don Bowman wrote:
> > You could use ipfw to limit the damage of a syn flood, e.g.
> > a keep-state rule with a limit of ~2-5 per source IP, lower the
> > timeouts, increase the hash buckets in ipfw, etc. This would
> > use a mask on src-ip of all bits.
> > something like:
> > allow tcp from any to any setup limit src-addr 2
> >
> > this would only allow 2 concurrent TCP sessions per unique
> > source address. Depends on the syn flood you are expecting
> > to experience. You could also use dummynet to shape syn
> > traffic to a fixed level i suppose.
> Does that really help?  If so, we need to optimize the syncache. :(

In a real-world situation, with some latency from the originating
syn-flood attacker, the syncache behaves fine.
In a synthetic test situation like this, with probably ~0 latency
from the initiator, the syncache gets overwhelmed too.

More information about the freebsd-hackers mailing list