HOLY SH*T! I tried 4.2. It rocks!
Just the first test that I tried after installing it:
- switched gigabit network
- web server behind 1:1 NATing firewall
- firewall is AMD64 X2 2.4GHz
- downloading 2GB file via HTTP through the firewall in infinite loop
- flooding the firewall with small UDP packets, random source IPs,
generated as fast as my workstation (AMD64 X2 6400, Intel Pro/1000 PCI
Express card, Linux Fedora 7, running the kernel-level "pktgen" packet
generator which is very fast) can crank them out. The packets are
directed to the NATed address of the web server, to a port that's
blocked by the firewall.
Under these conditions, OpenBSD 4.1 as a firewall just keels over and
dies. All traffic through the firewall just stops in an instant.
Linux 2.6.18 fares slightly better, the current download finishes up,
but another one won't start.
But the default OpenBSD 4.2 i386 uniprocessor kernel doesn't seem to
care. The download just keeps going. New downloads are initiated OK
through the firewall. There are even spare CPU cycles left :-) not many
(10%) but still. There's a very large percentage of CPU (80...90%) used
for interrupts.
Good job folks, I'm impressed.
Anyone building gigabit routers and firewalls, don't delay, upgrade to
4.2. Heck, do that even for 100Mbit systems, this type of DoS doesn't
need much bandwidth to be effective.
I'll keep doing tests. If anything interesting shows up, I'll post the
results in a new thread.
--
Florin Andrei
http://florin.myip.org/
