On Tue, 24 Jul 2012 19:16:43 +0200 Sandy Herman <[email protected]> wrote:
> Hello, > > I have a 8 core x86_64 machine that has 2 Intel 82574L NICs using > the e1000 driver. > > Problem: > During a spoofed SYN flooding attack (800 Mbits, ~300K packets/sec) > the ksoftirqd became the bottleneck of the system. The daemon ran > on a single core using 100% cpu. We had about 40% packet loss. The ksoftirqd is working as fast as possible to keep up with the requests. > Google tells me, the problem is "NAPI". How can I disable NAPI? NAPI is not the problem. In fact, a driver without NAPI will overload the system with interrupts making it unusable. NAPI can not be disabled with current E1000 driver. Things that might help are having a later kernel, adding some netfilter rules to ratelimit incoming SYN packets, and/or turning on TCP cookies. But a really determined attacker can fill almost any incoming network pipe. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ E1000-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
