Hmm intel eepro card has an hardware option wich lets you to limit number of IRQ/sec generated to processor and solve the too much work on IRQ problem.
Try out that ! On Thursday 11 April 2002 19:13, Dworf wrote: > Hello, > > I work for a BIG company and we get lots of SynFlood Attacks to ouer > company. DDoS is not a problem couse ouer ISP is droping all icmp on their > router. but SynFlood attacks go throo. The problem is that when there is a > major attack the linux firewall gets disconnected while the attac is in > progress. I get this in my /var/log/messages > > Apr 11 16:56:52 fw kernel: eth0: Too much work at interrupt, > IntrStatus=0x0001. > > I use the RLT 8139too driver i tought this could be a network card problem > and changed the card to eepro100 and still the same problem with a little > difrent kernel msg but still looze the connection when the attack is in > progress. So i tought that maybe i have a problem with my firewall > configuration: > > Curent Configuration: > > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians > /bin/echo "0" > /proc/sys/net/ipv4/ip_forward > > /bin/echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > /bin/echo "0" > /proc/sys/net/ipv4/tcp_timestamps > /bin/echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout > /bin/echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time > /bin/echo "0" > /proc/sys/net/ipv4/tcp_window_scaling > /bin/echo "0" > /proc/sys/net/ipv4/tcp_sack > > /usr/sbin/iptables -N syn-flood > /usr/sbin/iptables -A INPUT -p tcp --syn -j syn-flood > /usr/sbin/iptables -A syn-flood -m limit --limit 2/s --limit-burst 4 -j > RETURN /usr/sbin/iptables -A syn-flood -j LOG --log-prefix "IPTABLES > SYN-FLOOD-IN: " /usr/sbin/iptables -A syn-flood -j DROP > > /usr/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > > /usr/sbin/iptables -A INPUT -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " > /usr/sbin/iptables -A INPUT -f -j DROP > > I pasted only the syn firewall settings other settings are some drops for > other ports etc... > > Anyone got any ideas what else could i add/change for SynFlooding or > anykind of Flooding/attacks? > > BTW: the Line bandwith is not a problem we have a 100Mbit INET Line to the > ISP but attack usualy usses up to 10Mbit but i still get disconnected > > I really need help and my boss wants to se some results anyone? help! and > sorrf for the long post > > And sorry for my english.
