blocking a string in a packet using ipfw

[Willem Jan Withagen]

Oliver Fromme wrote:
> Gary Palmer wrote:
>  > Willem Jan Withagen wrote:
>  > > I received a call from a customer this morning that all of his websites were
>  > > no longer on line. So After some resetting and more I turnout that there 
>  > > was a
>  > > serious overload on his server. Over 500 clients connected. (norm is 50) and
>  > > they were all trying to get this file 777.gif. (Which is not on any of the 
>  > > sites).
>  > 
>  > Why not just create a 0 length file 777.gif and let people fetch it?
>  > Its probably a lot less work for the server.  
> 
> I don't think so.  The overhead in Apache for serving
> a file is quite big.  On the other hand, IPFW tables
> store IP addresses in a radix tree, which should be
> quite efficient even for 100,000 entries.

I tried addressing that in a previous message. And I concur with you.
> 
> By the way:  If incoming bandwidth is a concern, it is
> probably better to use "reset" instead of "deny" in the
> IPFW rule.  If you use deny, the packets are simply
> dropped, causing the clients to retransmit their SYN
> packets several times, while "reset" (which here means
> "connection refused") causes no TCP retransmits.

Reason for not doing so, is that bandwidth is not really an issue here.
2*155mbit connections to both Amsterdam and Frankfurt. :)
So people with viruses banging their heads against my door, and getting 
stalled because of timeouts, is IMHO a nice way of slowing the harassment 
down. I would even consider writing something that returns 1 char per 30 secs 
for like forever, if it not only made me run out of serverslots/sockets/other 
resources....

--WjW