Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

[Seyit Özgür]

Thanks for quick reply.. but i don't use firewall. i tried to use PF.. 
Packer filter stucks up to 100.000 syn packets flooding(on open port).. Without packet filter it handle much more syn flooding. Like 1Mpps can handle w/o interrupts that i see on my equiment
But in this case "malformed packets" i got interrupts also input packet error.. cause %100 cpu..
Is there any way to stop them without firewall ? Any rfc kernel feature can check and stop those bogus packets ?
Or do i something wrong on PF ? 
________________________________________
From: Chuck Swiger [cswiger at mac.com]
Sent: Thursday, March 15, 2012 10:12 PM
To: Seyit Özgür
Cc: freebsd-net at freebsd.org
Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

On Mar 15, 2012, at 12:49 PM, Seyit Özgür wrote:
> Today we tried to see what happens Malformed syn packets on FreeBSD 9.0 release..
>
> Those packets rise to CPU %100 and stucks..
>
> listening on ix0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 18:33:30.010215 IP vgn44-1-88-123-89-40.fbx.proxad.net > 85.xxx.xxx.90: tcp
> 18:33:30.010242 IP 225.74.196.88.sta.estpak.ee > 85.xxx.xxx.90: tcp
> 18:33:30.010269 IP Nnov-Prospekt.71.quantum.rn > 85.xxx.xxx.90: tcp
> 18:33:30.010296 IP host52-108-static.49-88-b.business.telecomitalia.it > 85.xxx.xxx.90: tcp
> 18:33:30.010325 IP 125.Red-88-1-75.dynamicIP.rima-tde.net > 85.xxx.xxx.90: tcp
>
> i dont know which tool generate those packets.. but as we see i dont see seq, flag, lenth etc.. just this ouput on tcpdump...
>
> Is there any kernel feature for do NOT process malformed syn packets ??

A firewall can block them before the system will see and try to process them as incoming traffic.

Also, running tcpdump with -X will give both hex and ASCII rendition of the packets, which would be helpful to identify what you mean by "malformed".

Regards,
--
-Chuck