Re: PF block log all and ddos issue

Theron ZORBAS Fri, 28 Dec 2012 13:08:02 -0800

Hi again,

Here is the info that i can supply. If need more please tell me how
to do?


PF Options
set timeout { interval 10, frag 30 }
set timeout {
tcp.first 300, tcp.opening 60, tcp.established 86400 }
set timeout {
tcp.closing 900, tcp.finwait 60, tcp.closed 90 }
set timeout { udp.first 120,
udp.single 150, udp.multiple 120 }
set timeout { icmp.first 20, icmp.error 10
}
set timeout { other.first 60, other.single 30, other.multiple 60 }
set
timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 500000, frags
100000 }
set loginterface none
set skip on { lo0 enc0 }
set optimization
normal
set block-policy drop
set fingerprints "/etc/pf.os"

PF states :
root#
pfctl -ss |wc -l
    4765

root# date;vmstat -i
Fri Dec 28 22:57:00 EET 2012
interrupt                       total     rate
irq0/clock                  
91039955      799
irq0/ipi                     17900164      157
irq82/bnx0  
                58237357      511
irq98/bnx1                  215829335    
1896
irq82/bnx2                      59316        0
irq97/bnx4                
   6800293       59
irq80/mfi0                     537214        4
irq82/bnx5
                 125670397     1104
irq84/ehci0                     74177    
   0
Total                       516148208     4534

root# date;vmstat -i
Fri
Dec 28 22:57:05 EET 2012
interrupt                       total     rate
irq0/clock                   91043954      799
irq0/ipi                    
17900210      157
irq82/bnx0                   58237576      511
irq98/bnx1  
               215854554     1896
irq82/bnx2                      59317      
 0
irq97/bnx4                    6800360       59
irq80/mfi0                  
  537232        4
irq82/bnx5                  125684762     1104
irq84/ehci0  
                  74177        0
Total                       516192142    
4535

My egress interface is at bnx1 and my attacked interface is bnx5.
I read
somewhere that intel network cards' (em0 etc.) performance were better. I can
try to get a new nic to see difference.
I have taken these outputs when i am
not logging udp 53 requests which are just attack.

Thanks.
________________________________
 From: James Shupe <[email protected]>
To:
[email protected] 
Sent: Friday, December 28, 2012 8:11 PM
Subject: Re: PF
block log all and ddos issue
 
> But i still wonder why my firewall freezes
when
> logging all blocked udp 53 requests.
> The attack is not too heavy. I
had seen
> much worse before.
>

- Check interrupt usage
- Check states to
make sure the reason it seems unresponsive isn't due
to the state table being
full

Without more information from the machine, we don't have a lot of advice
we can really give.

--
James Shupe

[demime 1.01d removed an attachment of
type application/pgp-signature which had a name of signature.asc]

Re: PF block log all and ddos issue

Reply via email to