Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

Thu Mar 15 22:57:40 UTC 2012

On Mar 15, 2012, at 10:40 PM, Seyit Özgür wrote:

> sori my opinion but i m not a BSD guru.. i just working on BSD like 2 months..
> i know that PF or IPFW isn't build multicore arhitecture... As i know if my server got on heavy Syn flood traffic PF or IPFW don't enough 1 core.. 
> i also tried Syn_cookie, Syn_cookie_only and syn_cache.. if i set up syn_cookie start input errors after 600.000 syn packets per second. But while i set off syn cookie protection.. my server can handle much more syn packets then 600.000.. 
> Also thats why i don't use syncookies too..
> If there is any statefull Firewall software on freeBSD which support multicore process? (you know ?). i m up to set up..
> 
> i will get tcpdump again with -X param.. then i will post it again..
> 
> Thanks for your comments. 
> 
> ________________________________________
> From: Chuck Swiger [cswiger at mac.com]
> Sent: Thursday, March 15, 2012 10:30 PM
> To: Seyit Özgür
> Cc: freebsd-net at freebsd.org
> Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release
> 
> On Mar 15, 2012, at 1:17 PM, Seyit Özgür wrote:
>> Thanks for quick reply.. but i don't use firewall. i tried to use PF..
>> Packer filter stucks up to 100.000 syn packets flooding(on open port).. Without packet filter it handle much more syn flooding. Like 1Mpps can handle w/o interrupts that i see on my equiment
>> But in this case "malformed packets" i got interrupts also input packet error.. cause %100 cpu..
>> Is there any way to stop them without firewall ? Any rfc kernel feature can check and stop those bogus packets ?
>> Or do i something wrong on PF ?
> 
> I prefer IPFW myself, but you probably ran out of stateful rule slots.  For a high-volume services which is expected to be Internet-reachable (ie, port 80 to a busy webserver), you really just don't want to have stateful rules-- it's too easy to DoS the firewall itself, as you noticed.  In any event, you don't need state if you are just blacklisting attack sources.
> 
> You haven't really identified what you mean by "malformed", but maybe you are talking about a SYN flood, in which case make sure that SYN cookies and SYN cache are enabled...
> 
> Regards,
> --
> -Chuck
> 
> 

In my experience you will endure a lot more SYN flood traffic if you use only syncache, and also increase the syncache sysctls.
Sycookies are somewhat more expensive to calculate and they cause 100% CPU load much sooner.

I use :

net.inet.tcp.syncache.hashsize=2048
net.inet.tcp.syncache.cachelimit=61440
net.inet.tcp.syncache.bucketlimit=30

Does this works better for you?