I am experiensing attacks DDoS on my firewall. During attack the CPU goes high because of auditing. What I did is to set:
acl set loglevel=1
however the firewall audit could reach 5-10G per hour.
I have a lot of messages:
2012-09-16 11:50:53 +0300 f_kernel_ipfilter a_general_area t_info p_major
hostname: mfe.4vendeta.com src_geo: BG srcip: 22.214.171.124 srcport: 80
dst_geo: BG dstip: 126.96.36.199 dstport: 40331 protocol: 6
information: Dropped a TCP packet with no matching session; flags=0x10<ACK>
2012-09-16 11:54:46 +0300 f_utt_client a_server t_error p_major
pid: 995 logid: 0 cmd: 'utt_client' hostname: mfe.4vendeta.com
information: -35|Resource temporarily unavailable
Pending msg cnt for the tunnel.swdr.trustedsource.org tunnel reached 500. Check the communication link
and a lot of alert messages because I setup attack response configurations
1. any good idea to survive DDoS attacks?
2. how to decrease the number of green color info messages: .... information: Dropped a TCP packet with no matching session; flags=0x10<ACK> ...
3. how to decrease the numver of alert messages produced by attack response. It could reach hundreds per second. I already configured "time to wait between alerts" to at least 120sec. But I see this do not works and a lot of attack response alert messages are in my log.
4. if "acl set loglevel=1" do attack response works?
5. how to increase TSource performance? This is one of the tools that helps during DDos but as You see I am reaching its limits.
6. what could I configure to make firewall more performant?
The attack is about 100-200Kpps TCP or UDP, during the attack the SNMP daemon is crashing so I can not get any statistics from firewall
I am looking for smart ideas what to do.
Thanks in advance