BSDCan2016 - v1.1.24a

BSDCan 2016
The Technical BSD Conference

Kajetan Staszkiewicz
Day Talks #1 - 10 June - 2016-06-10
Room DMS 1120
Start time 16:00
Duration 01:00
ID 668
Event type Lecture
Track System Administration
Language used for presentation English

Improving PF's performance and reliability.

Lessons learned from bashing pf with DDoS attacks and other malicious traffic.

There is recently a lot of work going on on FreeBSD's version of PF. Does it perform better? Does it contain bugs? How does it compare to other implementations of PF?

At my $WORK I was given a wonderful opportunity to use FreeBSD as pf-based loadbalancer. Reality was not matching the expectations especially when faced with what the Internet is throwing at us. We have 38 LoadBalancers running FreeBSD, each handles up to 600k states under normal conditions with a few thousand rules. DDoS attacks forced me to review not only the ruleset, but also the code. There was much place for improvement of both. Also the latest development of multithreaded pf in FreeBSD brought light and hope for better performance under harsh conditions. But how does it really perform?

Topics covered: - How my $WORK uses PF and FreeBSD as its choice for LoadBalancing. - Short introduction on what a DoS and DDoS attacks are. - How PF fails (or rather failed before patching) to handle them. - What can be improved, what was already improved. Both in ruleset and in code. - How FreeBSD's 10 "multithreaded" PF is better in handling such attacks. - Comparison of performance and bugs/features between implementations of PF in different *BSD operating systems, especially under attacks.