blocking a string in a packet using ipfw
Gary Palmer
gpalmer at freebsd.org
Thu Sep 14 08:34:35 PDT 2006
On Thu, Sep 14, 2006 at 05:14:55PM +0200, Willem Jan Withagen wrote:
> I had several suggestions this direction. And it does help a little.
> The math is however against me.
>
> I had over 50 request/sec for this file. Now if the virus uses anything
> which leaves the connection open for regular timeout, and the server uses
> keepAlive. Then you are running into trouble because you soon run out of
> server slots. And even if you were to up with the standard apache settings
> for 15 secs, you have to set it at 750 serverslots.
>
> A serverslot takes about 13Mb virtual memory of which is about 8M resident.
> The machine has 512mb real memory, so after about 60 servers the machine
> starts to swap. Which works until about 100-150 serverslots (empirical
> prove).
> Now imagine what 500 would do, which is the initial setting for the number
> of MaxServers. The machine comes to a grinding halt. Which was what we also
> painfully found out.
>
> So solutions here are:
> either a very short keepalive timeout
> or no keepalive at all.
>
> Note that since this morning over 45.000 infected systems tried to access
> this server.
<puts on evil hat>
Configure Apache to issue a HTTP 302 redirect to some big file on
microsoft.com
You might even be able to get them to download the Windows Defender
thing to clean up their systems
</puts on evil hat>
You might still have to turn off keepalives :-(
More information about the freebsd-net
mailing list