nanog mailing list archives
Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
From: Mikael Abrahamsson <swmike () swm pp se>
Date: Fri, 17 Jan 2003 00:59:26 +0100 (CET)
On Thu, 16 Jan 2003, Josh Brooks wrote:
3. I am not that high profile ... but what do the high profile (shell servers like foonet and EFnet irc server operators) people use ? Would any of those people consider even for a moment using a FreeBSD+ipfw system for their packet filtering and rate shaping ?
I have run a EFnet irc server with FreeBSD+ipfw on the irc server itself. Very few rules (like TCP syn ratelimiting, ICMP rate limiting, allow irc ports, allow ssh port, drop the rest) and that crummy old machine was able to handle a full 100megabit of spoofed SYN flooding. I am not 100% up to speed as to what people are using on EFnet/IRCnet nowadays but I am under the impression that they're still using the above, ie letting the host protect itself. Sometimes they put a capable router in front of it and let it do some of the limiting. Back then, it wasn't the host that was getting hit worst by the flooding, it was when the spoofed TCP SYNs were replied to by the machine, the upstream Catalyst 5500 with RSMs totally choked on trying to route lookup 10kpps of diverse destinations, of which some were not even in it's full routing table. The above TCP rate limiting etc (make the machine not respond to a lot of pps generated by unverified connections) did a lot of good in leveraging the upstream route lookup problem. After implementing the above I survived several large floods without much trouble and things were great for 3 months. After that the kiddies figured out that they could attack other hosts on the same network or adjacent networks and cause the RSMs to fall over and die and thus achieving their goals anyway. I have no specific suggestions to you in your specific case unfortunately, my experience with FreeBSD+ipfw is limited to the above, but I thought it might give you some insight into some of the problems I faced anyway. -- Mikael Abrahamsson email: swmike () swm pp se
Current thread:
- Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Josh Brooks (Jan 16)
- Cross country networks, and data replication... Questions... :-) Gabriel (Jan 16)
- Re: Cross country networks, and data replication... Questions... :-) Jared Mauch (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Mikael Abrahamsson (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls dre (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls David G. Andersen (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Scott Francis (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Richard A Steenbergen (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Scott Francis (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Richard A Steenbergen (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls E.B. Dreger (Jan 18)
- Cross country networks, and data replication... Questions... :-) Gabriel (Jan 16)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Tony Kapela (Jan 18)
- Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls Avleen Vig (Jan 18)