We previously ran a high volume DNS server behind a
pair of redundant IP650 firewalls (256M RAM), and got into some "performance
problems".
For example, assume the following:
*** Connection table size set to 50K
connections.
*** 20K connections "used up" by TCP based
services.
*** UDP timeout in FW-1 set to the minimum of 40
seconds
*** High-volume DNS server implemented "behind"
firewalls.
Then, let's have a look at the number of connection
table entries used in relation to DNS traffic:
DNS queries/s Connection
Table Entries
===========
==================
0
20000
50
24000
100
28000
200
36000
400
52000
800
84000
1000
100000
Notes:
*** Each DNS connection takes up two entries in the
connection table
*** TCP connections assumed to be static at
20,000.
*** Connection table entries = 2 x dns_queries/s x
40 + 20000
This brings me to the conclusions
that:
1) With a 50K connection table size, one can only
handle less than 400 DNS queries/s
2) With a 100K connection table size, one can
handle around 1000 DNS queries/s
3) It could be very "bad" to have the UDP timeout
set to a "high value".
and most importantly:
4) It would seem that FW-1 could have serious
problems handling high-volume DNS/UDP sites.
5) It would also seem that an "easy" denial of
service attack against FW-1 would be to spray it with largish number of DNS
queries. (Or any other UDP traffic that is allowed by the ruleset.) However, I
have not tried this.
The only workarounds that I can see,
are:
1) Avoid using FW-1 in high-volume UDP
applications. For example, put hardened router ACL protected DNS boxes outside
of the firewalls.
2) Increase the connection table size to something
large, say 100K - 300K. (Assuming FW-1 can handle these connection table sizes.
100K seems OK, haven't tested anything larger.)
3) Decrease the UDP timeout. However, I believe
that 40s is the minimum. Also, due to the exponential backoff used by DNS, it is
probably a very bad idea to use anything smaller anyway.
4) Drop Checkpoint and use another firewall that
can support very large connection table sizes.
We got around the problem by using a combination of
1) and 2). However, I am still worried from a denial of service point of view.
We escalated this problem to Checkpoint and talked
to an number of their "experts". Eventually, it got escalated all the way to
Israel. However, I was _extremely_ disappointed in Checkpoints responses. They
could not answer a single question the we put forward. Not a single one. So much
for experts. Seems like support and Checkpoint doesn't mix.
I would be _extremely_ interested in hearing about
other peoples' experiences in relation to FW-1 UDP performance in general and
DNS performance in particular.
Many thanks!
--oo
Ps. We are about to evaluate the Netscreen boxes,
as IP650 replacements.
|