DDOS Today - I know the limits of my hardware.

  • I have a cheap 1U server running pfSense – P3 800MHz (actually dual, but only one is recognized and I didn't think it worth the effort to fix this), 512M RAM, and a pair of SCSI disks running hardware RAID-1.  I think it's a $70 eBay special.

    Anyway, today we got hit with about 50Mb/s worth of incoming traffic (normal is less than 1 Mb at peak) and the server just kept on chugging along for about 45 minutes until it croaked.  It was reset and I logged in and changed the number of active sessions it can hand to something reasonable (it's now at 12,000 rather than 100,000), as I figured it ran out of memory and went down.

    After that it kept running happily, passing packets in a reasonably speedy manner, for another hour and a half until we isolated the source/destination of the attack and had my colo filter them upstream.  The server that was under attack is still null-routed as the attack is continuing, but overall I was extremely pleased with the performance of this firewall with such modest hardware.

    Note that I never saw the number of active connections above 4,500, which is about twice normal.  I'm assuming the firewall went down and caused my outage, but I can't be absolutely certain of that either – the logs just show no traffic during that time, and no-one else in the data center was affected as my IP was the only one targeted.

    Anyway, superb job, folks.  I was having trouble isolating which IPs were causing the problem, so while juggling 47 Mbits of incoming traffic plus whatever outgoing pfSense happily downloaded and installed bandwidthd, all while the CPU never ran above 50% that I saw.  Memory usage was something like 20% while I was watching it.

  • States require roughtly 2KB a piece.  Do not over commit the state table.

    Also look at modulate-state which will help in these situations.

Log in to reply