Sorry my last post is broken: You can see my outputs at : http://pastebin.com/FtbfHXf8
Thanks. ________________________________ From: Theron ZORBAS <[email protected]> To: James Shupe <[email protected]>; "[email protected]" <[email protected]> Sent: Friday, December 28, 2012 11:00 PM Subject: Re: PF block log all and ddos issue Hi again, Here is the info that i can supply. If need more please tell me how to do? PF Options set timeout { interval 10, frag 30 } set timeout { tcp.first 300, tcp.opening 60, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 60, tcp.closed 90 } set timeout { udp.first 120, udp.single 150, udp.multiple 120 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 500000, frags 100000 } set loginterface none set skip on { lo0 enc0 } set optimization normal set block-policy drop set fingerprints "/etc/pf.os" PF states : root# pfctl -ss |wc -l 4765 root# date;vmstat -i Fri Dec 28 22:57:00 EET 2012 interrupt total rate irq0/clock 91039955 799 irq0/ipi 17900164 157 irq82/bnx0 58237357 511 irq98/bnx1 215829335 1896 irq82/bnx2 59316 0 irq97/bnx4 6800293 59 irq80/mfi0 537214 4 irq82/bnx5 125670397 1104 irq84/ehci0 74177 0 Total 516148208 4534 root# date;vmstat -i Fri Dec 28 22:57:05 EET 2012 interrupt total rate irq0/clock 91043954 799 irq0/ipi 17900210 157 irq82/bnx0 58237576 511 irq98/bnx1 215854554 1896 irq82/bnx2 59317 0 irq97/bnx4 6800360 59 irq80/mfi0 537232 4 irq82/bnx5 125684762 1104 irq84/ehci0 74177 0 Total 516192142 4535 My egress interface is at bnx1 and my attacked interface is bnx5. I read somewhere that intel network cards' (em0 etc.) performance were better. I can try to get a new nic to see difference. I have taken these outputs when i am not logging udp 53 requests which are just attack. Thanks. ________________________________ From: James Shupe <[email protected]> To: [email protected] Sent: Friday, December 28, 2012 8:11 PM Subject: Re: PF block log all and ddos issue > But i still wonder why my firewall freezes when > logging all blocked udp 53 requests. > The attack is not too heavy. I had seen > much worse before. > - Check interrupt usage - Check states to make sure the reason it seems unresponsive isn't due to the state table being full Without more information from the machine, we don't have a lot of advice we can really give. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
