Mitigating HTTP DDoS attacks?
Barney Wolff
barney at databus.com
Tue Mar 25 00:09:45 UTC 2008
On Mon, Mar 24, 2008 at 11:34:58PM +0000, Paul Vixie wrote:
>
> i only use or recommend operating systems that have their own host based
> firewalls. soon that will mean pf (from openbsd but available on freebsd)
> but right now that means ipfw. ipfw has a "table" construct which uses a
> data structure similar to the kernel's routing table. with a little bit
> of tuning, and using X86_64 to get more kernel memory map space than I386,
> i've listed every member of 60K-node botnets in a table whose only use is
> "if a SYN comes from here, silently drop it with no ICMP response". with
> more tuning work, a 200K-node botnet would pose no problem. we populate
> these tables with a perl script that watches the apache server's logfiles.
Even on an untuned fbsd i386, I had success with an ipfw table with well over
1e6 entries. What finally broke was doing a table list, possibly because the
command prints in sorted order. No performance problems were observed at my
limited volume of perhaps 30000 hits per day.
--
Barney Wolff I never met a computer I didn't like.
More information about the NANOG
mailing list