[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-bridge
Subject: Re: [Bridge] dos attacks and performance issues
From: Lennert Buytenhek <buytenh () gnu ! org>
Date: 2002-02-06 10:04:47
[Download RAW message or body]
Hi,
The problem is definitely in software; currently linux just throws up and dies
when placed under high network load (in terms of packets-per-second). The
real solution is basically to do what NAPI does: to rewrite some network
code and driver code to gracefully handle the case where the system doesn't
keep up with network traffic. With NAPI, I can easily sustain fast ethernet
tinygram routing (148kpps) on a P3 500, while userspace applications are not
CPU-starved.
Currently there are driver patches for tulip and 3c59x cards. Get NAPI at
ftp://robur.slu.se/pub/Linux/net-development/NAPI/
You will still see the problem with an athlon xp and plain linux 2.4, albeit
under higher loads.
cheers,
Lennert
On Wed, Feb 06, 2002 at 04:52:17AM +0200, Dimitris Zilaskos wrote:
>
> Hi ,
>
> Some kids(?) are regularly packeting a box i have behind a bridge /
> firewall .
>
> Firewall/bridge system is a p166 32 ram running slackware 8 . Kernel is
> 2.4.17 patched with bridge-nf-0.0.6-against-2.4.17.diff . I am also using
> bridge-utils-0.9.5 to setup the bridge . Behind the bridge is a hub with a
> single box connected . The whole network runs at 10 Mbps . No processes
> other than the absolutely necessary ones are running on the firewall .
>
> Symptom :
>
> During the attacks the firewall becomes very slow . I press num lock and
> the light goes on after 30 seconds or so , i type something and it shows
> up after some seconds etc . It is almost frozen . The box behind it of
> course looses connectivity . When the attack ceases , or i pull the cable
> connecting to the internet the system instantly returns to normal . The bridge
> needs some more minutes to start working again but it eventually works .
>
> I am not sure if it is netfilter code /bridge code / obsolete hardware
> issue . However , the same box in the past has served as an irc server
> with kernel 2.4.0 , and handled various violent attacks like those ones
> without showing the same symptoms .
>
> Attached are the ruleset where the host under attack is 1.2.3.4 , and a
> small tcpdump snapshot of the attack . The whole tcpdump file of the
> attack is over 100 Mbytes .
>
> I wanted to know what you guys think about the issue . Should I get an
> athlon xp or something for the firewall ?
>
> Kind regards ,
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic