Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0
release
Michael Sierchio
kudzu at tenebras.com
Thu Mar 15 23:20:42 UTC 2012
2012/3/15 Chuck Swiger <cswiger at mac.com>
I prefer IPFW myself, but you probably ran out of stateful rule slots. For
> a high-volume services which is expected to be Internet-reachable (ie, port
> 80 to a busy webserver), you really just don't want to have stateful
> rules-- it's too easy to DoS the firewall itself, as you noticed. In any
> event, you don't need state if you are just blacklisting attack sources.
>
I too prefer ipfw, especially since adding blacklist IP addresses or
networks to a table is extremely efficient.
> You haven't really identified what you mean by "malformed", but maybe you
> are talking about a SYN flood, in which case make sure that SYN cookies and
> SYN cache are enabled...
I'm still wondering, too. Are the packets malformed, or is this a SYN
flood?
- M
More information about the freebsd-net
mailing list