Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

[Chuck Swiger]

On Mar 15, 2012, at 1:17 PM, Seyit Özgür wrote:
> Thanks for quick reply.. but i don't use firewall. i tried to use PF.. 
> Packer filter stucks up to 100.000 syn packets flooding(on open port).. Without packet filter it handle much more syn flooding. Like 1Mpps can handle w/o interrupts that i see on my equiment
> But in this case "malformed packets" i got interrupts also input packet error.. cause %100 cpu..
> Is there any way to stop them without firewall ? Any rfc kernel feature can check and stop those bogus packets ?
> Or do i something wrong on PF ? 

I prefer IPFW myself, but you probably ran out of stateful rule slots.  For a high-volume services which is expected to be Internet-reachable (ie, port 80 to a busy webserver), you really just don't want to have stateful rules-- it's too easy to DoS the firewall itself, as you noticed.  In any event, you don't need state if you are just blacklisting attack sources.

You haven't really identified what you mean by "malformed", but maybe you are talking about a SYN flood, in which case make sure that SYN cookies and SYN cache are enabled...

Regards,
-- 
-Chuck