NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2005-01

3.6 squid/pf performance tested

From: Karsten McMinn (tenyougmail.com)
Date: Thu Jan 27 2005 - 13:16:43 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've returned to misc. Passing on some information for those that deem
it useful. I've been using OpenBSD since 2.9 for many things. I also
use it in the enterprise for services at an ISP also. Recently we had
a small domain attract a very large scale ddos. I nominated
OpenBSD+squid/pf for the job. Stripped kernel, squid compiled
transparent with a large amount of file descriptors, 2nics running in
bridge mode, separate webserver behind one of the nics.

the ddos was from win2k and xp machines, courtesy of a spyware prog.
that can only be cleaned by M$'s spyware program. The attack was
valid HTTP1.1 requests for a specific domain for a couple different
documents (non existent documents fortunately).

Squid runs a basic acl to match the ddos packets. Shell scripts and
perl rip IP addresses out of squid logs into pf table lists to be
blocked.

Here's a bit of console output:

bits of dmesg:
OpenBSD 3.6 (AKA) #1: Mon Jan 17 11:56:41 PST 2005
rootaka:/usr/src/sys/arch/i386/compile/AKA
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 664 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 132411392 (129308K)
avail mem = 117673984 (114916K)
using 1641 buffers containing 6721536 bytes (6564K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 08/30/01, BIOS32 rev. 0 0xffe90
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 0xfbc30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371AB PIIX4 ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x8000
rl0 at pci1 dev 9 function 0 "D-Link Systems 530TX+" rev 0x10: irq 5
address 00:40:05:3d:94:e5
rlphy0 at rl0 phy 0: RTL internal phy
xl0 at pci1 dev 12 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq
5, address 00:b0:d0:60:99:8e
exphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 7

root:21# pfctl -s info
Status: Enabled for 8 days 19:50:13 Debug: Urgent

Hostid: 0x6f122ee9

Interface Stats for rl0 IPv4 IPv6
  Bytes In 8023689461 0
  Bytes Out 5120661757 352
  Packets In
    Passed 25936560 0
    Blocked 123912977 0
  Packets Out
    Passed 22711501 0
    Blocked 1543 5

State Table Total Rate
  current entries 47
  searches 177117871 232.3/s
  inserts 3937584 5.2/s
  removals 3937537 5.2/s
Counters
  match 144112998 189.0/s
  bad-offset 0 0.0/s
  fragment 23853 0.0/s
  short 0 0.0/s
  normalize 2645 0.0/s
  memory 686254 0.9/s
  bad-timestamp 0 0.0/s

*note the total prefixes checked from tables is about 28k

top:

load averages: 0.52, 0.27, 0.15
                                                 11:01:15
25 processes: 24 idle
CPU states: 0.2% user, 0.0% nice, 0.3% system, 1.1% interrupt, 98.4% idle
Memory: 50M/97M act/tot Free: 25M Swap: 13M/369M used/tot
  PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
30525 _squid 2 0 53M 44M sleep poll 49:59 0.00% squid
16372 _pflogd 4 0 468K 208K sleep bpf 4:57 0.00% pflogd
5049 root 2 0 964K 1044K sleep select 0:27 0.00% sendmail
24566 _ntp 2 0 232K 604K sleep poll 0:11 0.00% ntpd
30476 root 2 0 304K 500K idle select 0:08 0.00% sshd
10828 root 2 0 248K 248K sleep select 0:02 0.00% cron
10339 root 2 0 344K 1912K sleep select 0:01 0.00% sshd
20151 _syslogd 2 0 140K 428K sleep poll 0:01 0.00% syslogd
14650 root 2 0 392K 1900K sleep select 0:00 0.00% sshd
27680 root 2 0 144K 484K sleep kqread 0:00 0.00% tail
12955 root 2 0 116K 172K idle netio 0:00 0.00% syslogd
31661 root 18 0 424K 352K sleep pause 0:00 0.00% ksh
27340 root 2 0 284K 272K idle poll 0:00 0.00% ntpd
19303 root 2 0 412K 148K idle netio 0:00 0.00% pflogd
    1 root 10 0 356K 96K idle wait 0:00 0.00% init
19052 root 2 0 132K 244K idle select 0:00 0.00% inetd
4180 root 18 0 412K 340K idle pause 0:00 0.00% ksh
17289 _squid -6 0 64K 4K idle piperd 0:00 0.00% unlinkd
5791 root 28 0 188K 884K onproc - 0:00 0.00% top
4797 root 3 0 60K 4K idle ttyin 0:00 0.00% getty
28317 root 10 0 1548K 4K idle wait 0:00 0.00% squid

Conclusions-
This machine is a old dell optiplex recovered to do a job where
iptables and the best of cisco ios firewall features couldnt keep up.
At its worst the ddos was about 400+ packets per second. Squid itself
is able to keep up with this many requests without pf which was
pleasently suprising. With pf getting a incremented list of block IP
addresses from squid logs the box is bored silly. I've observed the
block list from this DDOS get as high as 50k+ addresses. All the
addresses are valid IP addresses from compromised hosts.

if you google for: newdotnet broadcasturban kontiki spybot
(no quotations in search) and follow the first link we've got one of
the domains on the list in that broadbandforums post.

I'd be delighted to hear about other ways to go about an issue like this.

Thanks for listening.

-Karsten

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]