Gear for security (Shields up)

[Kristian Rask]

Hi all

I'm in the situation that i receive 3000+ setups pr. second (for https) as a result of a DDOS against some webservers.

The webservers (MS IIS) are behind a FreeBSD 5.0-R machine that functions as a packet filter (ipfw) and  gateway.

The internet link is a 100MBit fiber w. a media converter connected directly into the bsd box.
At present we have a half automated process of looking at logfiles and generating ipfw rules to deny the setups (SYN) for 
The webservers.
As of right now we have reduced the troughput to the servers from approx. 3000 to approx. 400-600 pr. second, the problem rightnow is that the DDOS attack is dynamic.. new src'es comes in and old ones dies. The definiton of an attack is simply the number of setups made aginst the server in a short interval.. humans produce maybe 20-80 setups.. so anything above 200 is assumed to be part of the DDOS attack. And yes.. We need to establish new rules very fast.. but this is actually slightly offtopic.. 

The subject is gear = Hardware... we can se that the system (presently a 1400 Celeron w. 256MB) spends approx. 50% of its time servicing intrerrupts... from assorted places i have heard the following statements:

- Some fxp's can do "ifconfig fxp0 link0" wich should reduce the number of interrupts
- Gigabit adapters have larger onboard caches and more hardware support to reduce the amount of interrupts

I would very much like to hear ppl's recomendation regarding actual NIC's that are "more ideal" than others and exactly why they are more ideal.

Also... our only way to know that something is an attack is to measure the amount of setups pr. unit of time.
Any ideas as to how one might measure setups/sec. the easiest way (easy as in "low load on the machine")
We are ofcourse aiming for a fully automated process w. real time detection and ipfw rule insertion.


regards and TIA

Kristian