On Tue, 24 Jul 2012 10:24:05 -0700 Stephen Hemminger <[email protected]> wrote:
> On Tue, 24 Jul 2012 19:16:43 +0200 > Sandy Herman <[email protected]> wrote: > > > Hello, > > > > I have a 8 core x86_64 machine that has 2 Intel 82574L NICs using > > the e1000 driver. > > > > Problem: > > During a spoofed SYN flooding attack (800 Mbits, ~300K packets/sec) > > the ksoftirqd became the bottleneck of the system. The daemon ran > > on a single core using 100% cpu. We had about 40% packet loss. > > The ksoftirqd is working as fast as possible to keep up with the > requests. And to make e1000e more capable of processing packets you could consider turning on RPS to allow more cpus to process packets from the single interrupt that e1000e uses. > > Google tells me, the problem is "NAPI". How can I disable NAPI? > > NAPI is not the problem. In fact, a driver without NAPI will > overload the system with interrupts making it unusable. NAPI can > not be disabled with current E1000 driver. > > Things that might help are having a later kernel, adding some > netfilter rules to ratelimit incoming SYN packets, and/or turning > on TCP cookies. > > But a really determined attacker can fill almost any incoming > network pipe. Yes, NAPI is actually making your system continue to run in the face of a DoS attack. RPS will allow more CPUs to work on your receive traffic, which will allow more scaling. see http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/main-network.html#s-network-future for a nice description of RPS and how to enable it. suggest an rps_cpus value of 0xff to begin. You may also want to consider enabling RFS while you're there, but start with RPS for simplicity.
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ E1000-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
