On Thu, 16 Jan 2003, Josh Brooks wrote:
3. I am not that high profile ... but what do the high profile (shell servers like foonet and EFnet irc server operators) people use ? Would any of those people consider even for a moment using a FreeBSD+ipfw system for their packet filtering and rate shaping ?
I have run a EFnet irc server with FreeBSD+ipfw on the irc server itself. Very few rules (like TCP syn ratelimiting, ICMP rate limiting, allow irc ports, allow ssh port, drop the rest) and that crummy old machine was able to handle a full 100megabit of spoofed SYN flooding. I am not 100% up to speed as to what people are using on EFnet/IRCnet nowadays but I am under the impression that they're still using the above, ie letting the host protect itself. Sometimes they put a capable router in front of it and let it do some of the limiting. Back then, it wasn't the host that was getting hit worst by the flooding, it was when the spoofed TCP SYNs were replied to by the machine, the upstream Catalyst 5500 with RSMs totally choked on trying to route lookup 10kpps of diverse destinations, of which some were not even in it's full routing table. The above TCP rate limiting etc (make the machine not respond to a lot of pps generated by unverified connections) did a lot of good in leveraging the upstream route lookup problem. After implementing the above I survived several large floods without much trouble and things were great for 3 months. After that the kiddies figured out that they could attack other hosts on the same network or adjacent networks and cause the RSMs to fall over and die and thus achieving their goals anyway. I have no specific suggestions to you in your specific case unfortunately, my experience with FreeBSD+ipfw is limited to the above, but I thought it might give you some insight into some of the problems I faced anyway. -- Mikael Abrahamsson email: swmike@swm.pp.se