Re: Mitigating HTTP DDoS attacks?

[Barney Wolff <barney () databus com>]

On Mon, Mar 24, 2008 at 11:34:58PM +0000, Paul Vixie wrote:
> i only use or recommend operating systems that have their own host based
> firewalls.  soon that will mean pf (from openbsd but available on freebsd)
> but right now that means ipfw.  ipfw has a "table" construct which uses a
> data structure similar to the kernel's routing table.  with a little bit
> of tuning, and using X86_64 to get more kernel memory map space than I386,
> i've listed every member of 60K-node botnets in a table whose only use is
> "if a SYN comes from here, silently drop it with no ICMP response".  with
> more tuning work, a 200K-node botnet would pose no problem.  we populate
> these tables with a perl script that watches the apache server's logfiles.

Even on an untuned fbsd i386, I had success with an ipfw table with well over
1e6 entries.  What finally broke was doing a table list, possibly because the
command prints in sorted order.  No performance problems were observed at my
limited volume of perhaps 30000 hits per day.

-- 
Barney Wolff         I never met a computer I didn't like.