[103269] in North American Network Operators' Group
Re: Mitigating HTTP DDoS attacks?
daemon@ATHENA.MIT.EDU (Barney Wolff)
Mon Mar 24 20:14:22 2008
Date: Mon, 24 Mar 2008 20:09:45 -0400
From: Barney Wolff <barney@databus.com>
To: Paul Vixie <vixie@isc.org>
Cc: nanog@merit.edu
In-Reply-To: <g3ve3bhf19.fsf@sa.vix.com>
Errors-To: owner-nanog@merit.edu
On Mon, Mar 24, 2008 at 11:34:58PM +0000, Paul Vixie wrote:
>
> i only use or recommend operating systems that have their own host based
> firewalls. soon that will mean pf (from openbsd but available on freebsd)
> but right now that means ipfw. ipfw has a "table" construct which uses a
> data structure similar to the kernel's routing table. with a little bit
> of tuning, and using X86_64 to get more kernel memory map space than I386,
> i've listed every member of 60K-node botnets in a table whose only use is
> "if a SYN comes from here, silently drop it with no ICMP response". with
> more tuning work, a 200K-node botnet would pose no problem. we populate
> these tables with a perl script that watches the apache server's logfiles.
Even on an untuned fbsd i386, I had success with an ipfw table with well over
1e6 entries. What finally broke was doing a table list, possibly because the
command prints in sorted order. No performance problems were observed at my
limited volume of perhaps 30000 hits per day.
--
Barney Wolff I never met a computer I didn't like.
