Gear for security (Shields up)

Steve Francis steve at expertcity.com
Wed Jun 4 07:42:51 PDT 2003 

As a different approach, you could try terminating the TCP connections 
on the BSD machine (using Squid or something else configured as a 
reverse proxy.)

Then you'd have the advantage of FreeBSD's syn cookies, etc to defend 
against the attack. It should deal with 3000 syns/second easily.

If they are not syn attacks, but complete TCP connections, then FreeBSD 
can be tuned to deal with them easily too. Set
kern.ipc.maxsockets: 12328 -> 128000
net.inet.ip.intr_queue_maxlen: 50->1024
kern.ipc.somaxconn=128->4096
net.inet.tcp.tcbhashsize: 512->4096
net.inet.tcp.msl: 30000 -> 10000
Also need to increase kern.maxfiles


But your original question - which NICs are optimal - still stands.
Polling with the fxp driver will also greatly reduce interupt time.




Kristian Rask wrote:

> Hi all
> 
> I'm in the situation that i receive 3000+ setups pr. second (for https) as a result of a DDOS against some webservers.
> 
> The webservers (MS IIS) are behind a FreeBSD 5.0-R machine that functions as a packet filter (ipfw) and  gateway.
> 
> The internet link is a 100MBit fiber w. a media converter connected directly into the bsd box.
> At present we have a half automated process of looking at logfiles and generating ipfw rules to deny the setups (SYN) for 
> The webservers.
> As of right now we have reduced the troughput to the servers from approx. 3000 to approx. 400-600 pr. second, the problem rightnow is that the DDOS attack is dynamic.. new src'es comes in and old ones dies. The definiton of an attack is simply the number of setups made aginst the server in a short interval.. humans produce maybe 20-80 setups.. so anything above 200 is assumed to be part of the DDOS attack. And yes.. We need to establish new rules very fast.. but this is actually slightly offtopic.. 
> 
> The subject is gear = Hardware... we can se that the system (presently a 1400 Celeron w. 256MB) spends approx. 50% of its time servicing intrerrupts... from assorted places i have heard the following statements:
> 
> - Some fxp's can do "ifconfig fxp0 link0" wich should reduce the number of interrupts
> - Gigabit adapters have larger onboard caches and more hardware support to reduce the amount of interrupts
> 
> I would very much like to hear ppl's recomendation regarding actual NIC's that are "more ideal" than others and exactly why they are more ideal.
> 
> Also... our only way to know that something is an attack is to measure the amount of setups pr. unit of time.
> Any ideas as to how one might measure setups/sec. the easiest way (easy as in "low load on the machine")
> We are ofcourse aiming for a fully automated process w. real time detection and ipfw rule insertion.
> 
> 
> regards and TIA
> 
> Kristian
> 
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list