Then I will do some tests with 4.2 on gigabit-capable hardware. If
anything noteworthy comes out, I'll post the results.
Don't expect something too fancy, but I guess anything is better than
nothing.
Hmmm.
Please correct me if I'm wrong:
Let's say a firewall is connected to a pretty fast Internet pipe (in the
gigabit range). Let's say there's a DDoS against this environment. In
theory, the firewall would need lots of RAM so that it can deal with the
incoming nasty packets, create an entry for each packet in the state
table (don't know the correct name for it in OpenBSD, sorry), then
expire it after a while.
In theory, the firewall could be tweaked to expire unused states
quickly, but still, more RAM is better when dealing with a DDoS.
What's still not clear to me is how much RAM I should provision per 1Gb
of bandwidth on OpenBSD, assuming there's an incoming
worst-case-scenario DDoS, that consumes RAM (and other resources) on the
firewall yet leaves some bandwidth open for legitimate traffic (so the
firewall must be able to continue to let the good traffic pass through).
Also assuming some tweaking has been done on the firewall to expire the
bad stuff quickly without affecting legitimate traffic.
But all that depends on the actual legitimate traffic and on the
firewall rules.
I guess that's another way of saying "more tests are needed". :-/
Aw, damn. I was hoping that's not quite the case.
Well, then hopefully the dynamic routing daemons won't get too greedy
and DoS the firewall from within. :-) Or I may have to re-think the
whole environment and forget the idea of doing any kind of dynamic
routing on the firewall - from a security perspective, dynamic routing
on the firewall sucks anyway.
Looks like my performance test matrix just got bigger by a factor of 2x.
:-/ But the bad combinations should get pruned pretty quickly, I guess.
+-----+-------+-------+
| \ | i386 | amd64 |
+-----+-------+-------+
| SMP | | |
+-----+-------+-------+
| UP | | |
+-----+-------+-------+
--
Florin Andrei
http://florin.myip.org/
