On 2015-01-27 13:03:19, Jim Thompson wrote: >> On Jan 27, 2015, at 11:28 AM, Antoine Beaupré <anar...@koumbit.org> wrote: >> >> (Please CC, as i am not on the list.) >> >> I was surprised to read this article in the pfSense blog: >> >> https://blog.pfsense.org/?p=115 <https://blog.pfsense.org/?p=115> > > That article is from June 2007. It’s over seven years old. Times change.
Oh, i got confused by the last comment, which dates from 2013: >> TLDR: "At this time, polling is not recommended at all.” > > There are situations which warrant polling. > >> Is that true? I am trying to tweak a Supermicro machine as a router to >> survive major DDOS attacks on a 1gbps link. So far, I can't get far >> beyond the 100kpps and 50mbps mark. >> >> The hardware is: >> >> * 2xIntel E1G44HTBLK NICs > > Quad port i340 PCIe Nic (igb(4) driver) > >> * 1xIntel 1220LV2 CPU > > 2 core Ivy Bridge @ 2.3GHz > >> More detailed specs here: >> >> https://wiki.koumbit.net/rtr1.koumbit.net >> <https://wiki.koumbit.net/rtr1.koumbit.net> > > Says you’re running 9.3 That is correct, we just upgraded. > The pf in 9.3 is single-threaded. Is that changed in later versions? >> We are using a stateful pf firewall and polling on the network >> interfaces. We got around 100kpps during the DDOS, with 700kpps dropped >> (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps >> but around 400mbps reached our port from upstream's point of view. The >> kernel interfaces counted around 50mbps: >> >> https://redmine.koumbit.net/attachments/download/7706 >> https://redmine.koumbit.net/attachments/download/7707 >> https://redmine.koumbit.net/attachments/download/7708 >> https://redmine.koumbit.net/attachments/download/7709 >> <https://redmine.koumbit.net/attachments/download/7709> > > These want a login/password to access. Ah, crap. Here: http://shell.koumbit.net/~anarcat/ddos-snaps-2015-01-27/ >> The load on the router was fine during the DDOS, but of course packet >> loss was endemic. >> >> At this point, I'm considering the following options: >> >> * switching to an Intel IGB nic > You already have one. Yeah, but the public interface is using some em driver, for some reason. I think it may be the builtin NIC on the X9SPU-F motherboard. >> * enabling fastforwarding > typically a good idea. Understood. >> * tweak the number of IGB queues >> >> Any recommendations would be welcome. > > Have you considered FreeBSD 10.1? Not yet. What should i expect from the upgrade? We just barely made it to 9.3 at this point... A. -- Conformity-the natural instinct to passively yield to that vague something recognized as authority. - Mark Twain _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
