Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

[Seyit Özgür]

it's of course Syn flood with malformed syn packets around 100.000 packet
per second with differents IP address.. around 40.000 pps starting input
errors CPU cause %100 (NIC uses  8 core with different irq's x8 bus (2.5
GTs) all cpu's %100). also 60.000 pps can't handle it.. 

But while normal syn flood same equiment can handle around 1Mpps (different
IPs) .. its without any firewall software.. just tune some kernel params..

 

Today i will get tcpdump with -X param.. and i will share with you.

 

I think this problem about those packets process with cpu and CPU raise UP
%100 but those are bogus SYN packets.. 

İ think if bogus syn packets don't  process by CPU.. it will be OK..

 

Regards

 

Seyit Özgür
Network Yöneticisi

 

From: Michael Sierchio [mailto:kudzu at tenebras.com] 
Sent: Friday, March 16, 2012 1:21 AM
To: Chuck Swiger
Cc: Seyit Özgür; freebsd-net at freebsd.org
Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0
release

 

 

2012/3/15 Chuck Swiger <cswiger at mac.com> 

 

I prefer IPFW myself, but you probably ran out of stateful rule slots.  For
a high-volume services which is expected to be Internet-reachable (ie, port
80 to a busy webserver), you really just don't want to have stateful rules--
it's too easy to DoS the firewall itself, as you noticed.  In any event, you
don't need state if you are just blacklisting attack sources.

 

I too prefer ipfw, especially since adding blacklist IP addresses or
networks to a table is extremely efficient.

 

You haven't really identified what you mean by "malformed", but maybe you
are talking about a SYN flood, in which case make sure that SYN cookies and
SYN cache are enabled...

 

I'm still wondering, too.  Are the packets malformed, or is this a SYN
flood?

 

- M