I had an experience with a DDOS attack comprising some 10,000 IPs. Adding them individually as INPUT DROPS did not work because after 5000 or so IPs, the box became too slow to pickup new packets from the card quickly enough, so we replaced one problem (flood) with another (random overruns on the card). The traffic was about 6mbit of small packets (SYNs and tiny data packets). About 10,000 packets per second. The more DROPs, the less packets per second could be handled. Removing all DROPS meant all packets could be handled .. although that just pushed the problem onto apache. My question is this .. how many DROPS can the latest netfilter adequately cope with before impacting the PPS speed of the linux box? Would -t raw have been a much better solution here? My network driver was e1000.o with NAPI compiled. Kernel was latest 2.4 smp kernel. Machine was dual xeon with 2gb of memory. Nothing else of consequence running on the box. thanks
