Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

Seyit Özgür seyit.ozgur at istanbul.net
Thu Mar 15 20:41:50 UTC 2012 

sori my opinion but i m not a BSD guru.. i just working on BSD like 2 months..
i know that PF or IPFW isn't build multicore arhitecture... As i know if my server got on heavy Syn flood traffic PF or IPFW don't enough 1 core.. 
i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up syn_cookie start input errors after 600.000 syn packets per second. But while i set off syn cookie protection.. my server can handle much more syn packets then 600.000.. 
Also thats why i don't use syncookies too..
If there is any statefull Firewall software on freeBSD which support multicore process? (you know ?). i m up to set up..

i will get tcpdump again with -X param.. then i will post it again..

Thanks for your comments. 
 
________________________________________
From: Chuck Swiger [cswiger at mac.com]
Sent: Thursday, March 15, 2012 10:30 PM
To: Seyit Özgür
Cc: freebsd-net at freebsd.org
Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

On Mar 15, 2012, at 1:17 PM, Seyit Özgür wrote:
> Thanks for quick reply.. but i don't use firewall. i tried to use PF..
> Packer filter stucks up to 100.000 syn packets flooding(on open port).. Without packet filter it handle much more syn flooding. Like 1Mpps can handle w/o interrupts that i see on my equiment
> But in this case "malformed packets" i got interrupts also input packet error.. cause %100 cpu..
> Is there any way to stop them without firewall ? Any rfc kernel feature can check and stop those bogus packets ?
> Or do i something wrong on PF ?

I prefer IPFW myself, but you probably ran out of stateful rule slots.  For a high-volume services which is expected to be Internet-reachable (ie, port 80 to a busy webserver), you really just don't want to have stateful rules-- it's too easy to DoS the firewall itself, as you noticed.  In any event, you don't need state if you are just blacklisting attack sources.

You haven't really identified what you mean by "malformed", but maybe you are talking about a SYN flood, in which case make sure that SYN cookies and SYN cache are enabled...

Regards,
--
-Chuck

More information about the freebsd-net mailing list