[Firehol-support] Re: servere's firewall

Sheldon Hearn sheldonh at clue.co.za
Tue May 3 09:01:22 BST 2005

On Mon, 2005-05-02 at 07:30 +1000, Rick Marshall wrote:

> is there a formula relating line speed to legitimate requests per 
> second? i'm running 2mb symmetric at many locations so should i be 
> looking at 1000/sec 2000? and i need the web sites to be very responsive.

What works very well for me, is to profile the SYN rate when you're
confident that an attack is not underway, and then multiply that by 10
and use it as an upper limit.

You can easily measure the SYN rate using tcpstat:

tcpstat -i eth0 -f 'tcp[tcpflags] & (tcp-syn) != 0' 3600
Time:1115107116 n=139   avg=40.04       stddev=0.51     bps=44528.00

The 3600 requests hourly stats, and the n= value is your SYN rate.  Take
the highest SYN rate of any hour in a 24 hour or 1 week period, multiply
that by 10 and you have what I find works well.  YMMV.


More information about the Firehol-support mailing list