0 Replies Latest reply on Sep 16, 2012 9:43 AM by martin.dimov

    Looking for advises for firewall performance problems duting DDos attack

    martin.dimov

      Hi,

       

       

      I am experiensing attacks DDoS on my firewall. During attack the CPU goes high because of auditing. What I did is to set:

      acl set loglevel=1

       

       

      however the firewall audit could reach 5-10G per hour.

       

       

      I have a lot of messages:

      1.

      2012-09-16 11:50:53 +0300 f_kernel_ipfilter a_general_area t_info p_major

      hostname: mfe.4vendeta.com src_geo: BG srcip: 79.124.67.3 srcport: 80

      dst_geo: BG dstip: 78.40.139.6 dstport: 40331 protocol: 6

      information: Dropped a TCP packet with no matching session; flags=0x10<ACK>

       

       

      and:

      2.

      2012-09-16 11:54:46 +0300 f_utt_client a_server t_error p_major

      pid: 995 logid: 0 cmd: 'utt_client' hostname: mfe.4vendeta.com

      information: -35|Resource temporarily unavailable

      Pending msg cnt for the tunnel.swdr.trustedsource.org tunnel reached 500. Check the communication link

       

      3.

      and a lot of alert messages because I setup attack response configurations

       

       

      My questions:

      1. any good idea to survive DDoS attacks?

      2. how to decrease the number of green color info messages: .... information: Dropped a TCP packet with no matching session; flags=0x10<ACK> ...

      3. how to decrease the numver of alert messages produced by attack response. It could reach hundreds per second. I already configured "time to wait between alerts" to at least 120sec. But I see this do not works and a lot of attack response alert messages are in my log.

      4. if "acl set loglevel=1" do attack response works?

      5. how to increase TSource performance? This is one of the tools that helps during DDos but as You see I am reaching its limits.

      6. what could I configure to make firewall more performant?

       

      The attack is about 100-200Kpps TCP or UDP, during the attack the SNMP daemon is crashing so I can not get any statistics from firewall

       

      I am looking for smart ideas what to do.

      Thanks in advance