em0, polling performance, P4 2.8ghz FSB 800mhz
    Deepak Jain 
    deepak at ai.net
       
    Sat Feb 28 22:28:54 PST 2004
    
    
  
>>You could use ipfw to limit the damage of a syn flood, e.g.
>>a keep-state rule with a limit of ~2-5 per source IP, lower the
>>timeouts, increase the hash buckets in ipfw, etc. This would
>>use a mask on src-ip of all bits.
>>something like:
>>allow tcp from any to any setup limit src-addr 2
>>
>>this would only allow 2 concurrent TCP sessions per unique
>>source address. Depends on the syn flood you are expecting
>>to experience. You could also use dummynet to shape syn
>>traffic to a fixed level i suppose.
> 
> 
> Does that really help?  If so, we need to optimize the syncache. :(
>
I know that if I rate shape the setup traffic, it helps.
DJ
    
    
More information about the freebsd-hackers
mailing list