OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: 3.6 squid/pf performance tested

From: Per Engelbrecht (perxterm.dk)
Date: Thu Jan 27 2005 - 14:40:36 CST

Karsten McMinn wrote:
> I've returned to misc. Passing on some information for those that deem
> it useful. I've been using OpenBSD since 2.9 for many things. I also
> use it in the enterprise for services at an ISP also. Recently we had
> a small domain attract a very large scale ddos. I nominated
> OpenBSD+squid/pf for the job. Stripped kernel, squid compiled
> transparent with a large amount of file descriptors, 2nics running in
> bridge mode, separate webserver behind one of the nics.
>
> the ddos was from win2k and xp machines, courtesy of a spyware prog.
> that can only be cleaned by M$'s spyware program. The attack was
> valid HTTP1.1 requests for a specific domain for a couple different
> documents (non existent documents fortunately).
>
> Squid runs a basic acl to match the ddos packets. Shell scripts and
> perl rip IP addresses out of squid logs into pf table lists to be
> blocked.
>
> Here's a bit of console output:
>
> bits of dmesg:
> OpenBSD 3.6 (AKA) #1: Mon Jan 17 11:56:41 PST 2005
> rootaka:/usr/src/sys/arch/i386/compile/AKA
> cpu0: Intel Pentium III ("GenuineIntel" 686-class) 664 MHz
> cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
> real mem = 132411392 (129308K)
> avail mem = 117673984 (114916K)
> using 1641 buffers containing 6721536 bytes (6564K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(00) BIOS, date 08/30/01, BIOS32 rev. 0 0xffe90
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown
> pcibios0 at bios0: rev 2.1 0xf0000/0x10000
> pcibios0: PCI IRQ Routing Table rev 1.0 0xfbc30/176 (9 entries)
> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371AB PIIX4 ISA" rev 0x00)
> pcibios0: PCI bus #1 is the last bus
> bios0: ROM list: 0xc0000/0x8000 0xc8000/0x8000
> rl0 at pci1 dev 9 function 0 "D-Link Systems 530TX+" rev 0x10: irq 5
> address 00:40:05:3d:94:e5
> rlphy0 at rl0 phy 0: RTL internal phy
> xl0 at pci1 dev 12 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq
> 5, address 00:b0:d0:60:99:8e
> exphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 7
>
> root:21# pfctl -s info
> Status: Enabled for 8 days 19:50:13 Debug: Urgent
>
> Hostid: 0x6f122ee9
>
> Interface Stats for rl0 IPv4 IPv6
> Bytes In 8023689461 0
> Bytes Out 5120661757 352
> Packets In
> Passed 25936560 0
> Blocked 123912977 0
> Packets Out
> Passed 22711501 0
> Blocked 1543 5
>
> State Table Total Rate
> current entries 47
> searches 177117871 232.3/s
> inserts 3937584 5.2/s
> removals 3937537 5.2/s
> Counters
> match 144112998 189.0/s
> bad-offset 0 0.0/s
> fragment 23853 0.0/s
> short 0 0.0/s
> normalize 2645 0.0/s
> memory 686254 0.9/s
> bad-timestamp 0 0.0/s
>
> *note the total prefixes checked from tables is about 28k
>
> top:
>
> load averages: 0.52, 0.27, 0.15
> 11:01:15
> 25 processes: 24 idle
> CPU states: 0.2% user, 0.0% nice, 0.3% system, 1.1% interrupt, 98.4% idle
> Memory: 50M/97M act/tot Free: 25M Swap: 13M/369M used/tot
> PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
> 30525 _squid 2 0 53M 44M sleep poll 49:59 0.00% squid
> 16372 _pflogd 4 0 468K 208K sleep bpf 4:57 0.00% pflogd
> 5049 root 2 0 964K 1044K sleep select 0:27 0.00% sendmail
> 24566 _ntp 2 0 232K 604K sleep poll 0:11 0.00% ntpd
> 30476 root 2 0 304K 500K idle select 0:08 0.00% sshd
> 10828 root 2 0 248K 248K sleep select 0:02 0.00% cron
> 10339 root 2 0 344K 1912K sleep select 0:01 0.00% sshd
> 20151 _syslogd 2 0 140K 428K sleep poll 0:01 0.00% syslogd
> 14650 root 2 0 392K 1900K sleep select 0:00 0.00% sshd
> 27680 root 2 0 144K 484K sleep kqread 0:00 0.00% tail
> 12955 root 2 0 116K 172K idle netio 0:00 0.00% syslogd
> 31661 root 18 0 424K 352K sleep pause 0:00 0.00% ksh
> 27340 root 2 0 284K 272K idle poll 0:00 0.00% ntpd
> 19303 root 2 0 412K 148K idle netio 0:00 0.00% pflogd
> 1 root 10 0 356K 96K idle wait 0:00 0.00% init
> 19052 root 2 0 132K 244K idle select 0:00 0.00% inetd
> 4180 root 18 0 412K 340K idle pause 0:00 0.00% ksh
> 17289 _squid -6 0 64K 4K idle piperd 0:00 0.00% unlinkd
> 5791 root 28 0 188K 884K onproc - 0:00 0.00% top
> 4797 root 3 0 60K 4K idle ttyin 0:00 0.00% getty
> 28317 root 10 0 1548K 4K idle wait 0:00 0.00% squid
>
>
>
> Conclusions-
> This machine is a old dell optiplex recovered to do a job where
> iptables and the best of cisco ios firewall features couldnt keep up.
> At its worst the ddos was about 400+ packets per second. Squid itself
> is able to keep up with this many requests without pf which was
> pleasently suprising. With pf getting a incremented list of block IP
> addresses from squid logs the box is bored silly. I've observed the
> block list from this DDOS get as high as 50k+ addresses. All the
> addresses are valid IP addresses from compromised hosts.
>
> if you google for: newdotnet broadcasturban kontiki spybot
> (no quotations in search) and follow the first link we've got one of
> the domains on the list in that broadbandforums post.
>
> I'd be delighted to hear about other ways to go about an issue like this.
>
> Thanks for listening.

Hi Karsten
.. and thank you for the information!
Usefull ? yes indeed, thumbs up.

/per
perxterm.dk

>
>
> -Karsten