Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
Mikael Abrahamsson
swmike at swm.pp.se
Thu Jan 16 23:59:26 UTC 2003
On Thu, 16 Jan 2003, Josh Brooks wrote:
> 3. I am not that high profile ... but what do the high profile (shell
> servers like foonet and EFnet irc server operators) people use ? Would
> any of those people consider even for a moment using a FreeBSD+ipfw system
> for their packet filtering and rate shaping ?
I have run a EFnet irc server with FreeBSD+ipfw on the irc server itself.
Very few rules (like TCP syn ratelimiting, ICMP rate limiting, allow irc
ports, allow ssh port, drop the rest) and that crummy old machine was able
to handle a full 100megabit of spoofed SYN flooding.
I am not 100% up to speed as to what people are using on EFnet/IRCnet
nowadays but I am under the impression that they're still using the above,
ie letting the host protect itself. Sometimes they put a capable router in
front of it and let it do some of the limiting.
Back then, it wasn't the host that was getting hit worst by the flooding,
it was when the spoofed TCP SYNs were replied to by the machine, the
upstream Catalyst 5500 with RSMs totally choked on trying to route lookup
10kpps of diverse destinations, of which some were not even in it's full
routing table. The above TCP rate limiting etc (make the machine not
respond to a lot of pps generated by unverified connections) did a lot of
good in leveraging the upstream route lookup problem.
After implementing the above I survived several large floods without much
trouble and things were great for 3 months. After that the kiddies figured
out that they could attack other hosts on the same network or adjacent
networks and cause the RSMs to fall over and die and thus achieving their
goals anyway.
I have no specific suggestions to you in your specific case unfortunately,
my experience with FreeBSD+ipfw is limited to the above, but I thought it
might give you some insight into some of the problems I faced anyway.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the NANOG
mailing list