On 7/18/11 5:25 PM, Dmitriy Samsonov wrote:
My final task is to handle DDoS attacks with flexible and robust filter available. Haproxy is already helping me to stay alive under ~8-10k DDoS bots (I'm using two servers and DNS RR in production), but attackers are not sleeping and I'm expecting attacks to continue with more bots. I bet they will stop at 20-25k bots. Such botnet will generate approx. 500k session rate. and ~1Gbps bandwidth so I was dreaming to handle it on this one server with two NIC's bonded giving me 2Gbps for traffic:)
I think if that is your goal then you should definitely move to the intel NICs, people seem to have problems with those bnx NICs with linux.
Since you are using a new-ish kernel, you might also want to look at the splice options and the smart accept/smart* options for haproxy.
Since dDOS mitigation is your goal, if you have the money you may want to try the 10Gb NICs since as Willie said they seem to perform better even at lower levels.
If you have a non-Dell machine with fewer cores and a faster processor you might want to test that to see if it will work better in this scenario. Also on all machines, try with hyperthreading on/off at the BIOS level to see if that makes a difference. And you can reduce the cores/cpus used in the bios and grub level settings, so you might try going down to 2 cores, 1 cpu, no hyperthreading and see if that makes a difference. Also, if oyu do you an Intel card/Intel onboard NIC, there are some setting IT/AO that may affect ma performance.
If this is for dDOS mitigation, for the majority of the connections are you going to be tarpitting or blocking or passing them on to a real backend server? You maybe testing a scenario that does not map well to your real world usage. I would suggest putting keepalived on the current machine (if there is one) and any new machine you are thinking of using to replace the existing one, then you can switch to the new one easily and switch back if you find any show stopper issues.
Also, for dDOS mitigation you probably want to increase these: net.ipv4.tcp_max_syn_backlog net.ipv4.ip_local_port_range Here is a facebook note about scaling memcache connections per second: http://www.facebook.com/note.php?note_id=39391378919