ipfw: Too many dynamic rules

Marat N.Afanasyev amarat at ksu.ru
Fri Sep 10 11:16:47 UTC 2010

Ian Smith wrote:
> On Thu, 9 Sep 2010, Vlad Galu wrote:
>   >  2010/9/9 Marat N.Afanasyev<amarat at ksu.ru>:
>   >  >  I wonder, are these dynamic rules really necessary? let's see, a client
>   >  >  connects to your web-server and you immediately should create a new dynamic
>   >  >  rule, therefore you participate in this DoS attack as well as attacker. ;)
>   >
>   >  With a stateless firewall, you help the attacker even more. Because
>   >  he's able to connect to your httpd/whatever daemon is listening
>   >  directly and he can easily fill up the descriptor table of that
>   >  process. Limiting the number of states/connections from the same host
>   >  prevents that. Sure, those states eat up RAM, but so do the
>   >  established connections. Having a slightly more aggressive state
>   >  expiry policy always helps. Sure, there are accf_http(9), accf_data(9)
>   >  and various forking workarounds, but they don't work unless your TCP
>   >  server is specifically designed to use them.
> Agreed.

stateful firewall does not limits numbers of states/connections. it just 
add a new layer which can be overfulled easily. if you experience a DDoS 
attack it's better to block attackers addresses, e.g, adding them to 
some ipfw table using external methods.

did you try to use lighweight and FAST frontend web-server as proxy? 
e.g. www/nginx or www/zerowait-httpd?

>   >  PF also allows you to tarpit malicious hosts based on how often they
>   >  try to reconnect - you can dynamically add them to a table which you
>   >  can refer to from ALTQ.
> As mentioned, ipfw 'limit' rules accomplish effectively the same without
> needing an extra table; eg only allowing N simultaneous connections from
> any one address.  If N were say 4, even a distributed attack by 20 hosts
> will only allow 80 concurrent connections, no big deal for the firewall
> and no need to bother trying to limit connections later at the server.

I can say that 4 connection limit is extremely low limit, because if you 
use a somewhat "distributed" web site (css, images, etc. in different 
files) client software may open DOZENS of connections simultaneously, 
and you will deny absolutely rightful connections. btw, real DDoS is 
often uses thousands, tens of thousands and even hundreds of thousands 
botware hosts. I've rarely seen millions, may be 2 or three times at 
all, while 50-80 thousands hosts is average.

> That said, I've also tables blocking noted pests, including some recent
> distributed bots seeking eg blocklist='scripts/setup.php p=phpinfo();'
> which irritated me enough to knock up a script to knock them off :)

yes, this is one of the best looking solutions.

SY, Marat

More information about the freebsd-stable mailing list