[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-bridge
Subject:    Re: [Bridge] dos attacks and performance issues
From:       Lennert Buytenhek <buytenh () gnu ! org>
Date:       2002-02-06 10:04:47
[Download RAW message or body]

Hi,

The problem is definitely in software; currently linux just throws up and dies
when placed under high network load (in terms of packets-per-second).  The
real solution is basically to do what NAPI does: to rewrite some network
code and driver code to gracefully handle the case where the system doesn't
keep up with network traffic.  With NAPI, I can easily sustain fast ethernet
tinygram routing (148kpps) on a P3 500, while userspace applications are not
CPU-starved.

Currently there are driver patches for tulip and 3c59x cards.  Get NAPI at
ftp://robur.slu.se/pub/Linux/net-development/NAPI/

You will still see the problem with an athlon xp and plain linux 2.4, albeit
under higher loads.


cheers,
Lennert



On Wed, Feb 06, 2002 at 04:52:17AM +0200, Dimitris Zilaskos wrote:

> 
>   Hi ,
> 
>  Some kids(?) are regularly packeting a box i have behind a bridge /
> firewall .
> 
>  Firewall/bridge system is a p166 32 ram running slackware 8 . Kernel is
> 2.4.17 patched with bridge-nf-0.0.6-against-2.4.17.diff . I am also using
> bridge-utils-0.9.5 to setup the bridge . Behind the bridge is a hub with a
> single box connected . The whole network runs at 10 Mbps . No processes
> other than the absolutely necessary ones are running on the firewall .
> 
>    Symptom :
> 
>  During the attacks the firewall becomes very slow . I press num lock and
> the light goes on after 30 seconds or so , i type something and it shows
> up after some seconds etc . It is almost frozen . The box behind it of
> course looses connectivity . When the attack ceases , or i pull the cable
> connecting  to the internet the system instantly returns to normal . The bridge
>  needs some more minutes to start working again but it eventually works .
> 
>   I am not sure if it is netfilter code /bridge code / obsolete hardware
> issue . However , the same box in the past has served as an irc server
> with kernel 2.4.0 , and handled  various violent attacks like those ones
> without showing the same symptoms .
> 
>    Attached are the ruleset where the host under attack is 1.2.3.4 , and a
> small tcpdump snapshot of the attack . The whole tcpdump file of the
> attack is over 100 Mbytes .
> 
>  I wanted to know what you guys think about the issue . Should I get an
> athlon xp or something for the firewall ?
> 
>  Kind regards ,
> 

[prev in list] [next in list] [prev in thread] [next in thread]