North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls

  • From: Mikael Abrahamsson
  • Date: Thu Jan 16 19:01:22 2003

On Thu, 16 Jan 2003, Josh Brooks wrote:

> 3. I am not that high profile ... but what do the high profile (shell
> servers like foonet and EFnet irc server operators) people use ?  Would
> any of those people consider even for a moment using a FreeBSD+ipfw system
> for their packet filtering and rate shaping ?

I have run a EFnet irc server with FreeBSD+ipfw on the irc server itself. 
Very few rules (like TCP syn ratelimiting, ICMP rate limiting, allow irc 
ports, allow ssh port, drop the rest) and that crummy old machine was able 
to handle a full 100megabit of spoofed SYN flooding.

I am not 100% up to speed as to what people are using on EFnet/IRCnet 
nowadays but I am under the impression that they're still using the above, 
ie letting the host protect itself. Sometimes they put a capable router in 
front of it and let it do some of the limiting.

Back then, it wasn't the host that was getting hit worst by the flooding, 
it was when the spoofed TCP SYNs were replied to by the machine, the 
upstream Catalyst 5500 with RSMs totally choked on trying to route lookup 
10kpps of diverse destinations, of which some were not even in it's full 
routing table. The above TCP rate limiting etc (make the machine not 
respond to a lot of pps generated by unverified connections) did a lot of 
good in leveraging the upstream route lookup problem. 

After implementing the above I survived several large floods without much 
trouble and things were great for 3 months. After that the kiddies figured 
out that they could attack other hosts on the same network or adjacent 
networks and cause the RSMs to fall over and die and thus achieving their 
goals anyway.

I have no specific suggestions to you in your specific case unfortunately, 
my experience with FreeBSD+ipfw is limited to the above, but I thought it 
might give you some insight into some of the problems I faced anyway.

-- 
Mikael Abrahamsson    email: [email protected]