We have some 4.7 machines in a carp configuration with 120 vlan
interfaces and 141 carp interfaces. Works fantastic.
Recently, we've had some attacks originate from inside one of our
environments (customer machine on their own vlan). It's actually a
machine that is creating an SSH storm with many 62 byte packets.
"systat -s 5 ifstat" shows around 45,000 packets per second through the
physical interface during the attack and top shows 97% CPU utilization
for interrupts. Needless to say, it brings good traffic to a halt.
Most of these packets are being dropped by the kernel due to source IP
spoofing by the attack.
I was a little surprised to see this few pps (relatively speaking) cause
a disruption since the machine is relatively beefy for a router, athough
it's not the latest and greatest. I included a dmesg output below.
We're using one of the Intel Pro/1000 ports for all customer traffic
(all vlans and carp interfaces) and one of the Broadcom ports for
management traffic.
pf is disabled. The machine is only used to route traffic between VLANs
based on IP subnet. Single-proc bsd kernel is being used (MP kernel
shows no difference as expected).
Our configuration is extremely basic, almost a standard installation.
We haven't done any tweaking. I can dump some of the sysctl.conf file
if needed.
While we're obviously taking action to prevent the problem from
occurring again from the said machine, I'm hoping that we can improve
our OpenBSD configuration to handle future events more gracefully. Is
there possibly another processor type, NIC, and or machine that would be
much more efficient at handling this kind of traffic (packets per
second, not throughput)? Preferably, we'd like to see this edge router
handle 200k pps if possible.
If 4.8 has massive improvements, we'll be happy to get it installed.
Any help would be greatly appreciated.
Thanks!
Eric
OpenBSD 4.7 (GENERIC) #112: Wed Mar 17 20:43:49 MDT 2010
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 3756720128 (3582MB)
avail mem = 3650293760 (3481MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfd2e0 (60 entries)
bios0: vendor HP version "O12" date 10/25/2010
bios0: HP ProLiant DL160 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC MCFG SPMI OEMB HPET EINJ BERT ERST HEST
acpi0: wakeup devices NPE1(S4) NPE3(S4) NPE5(S4) SPE4(S4) SPE1(S4)
SPE2(S4) P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4)
EUSB(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2494.07 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST
,TM2,CX16,xTPR,NXE,LONG
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: apic clock running at 332MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins
ioapic1 at mainbus0: apid 6 pa 0xfec89000, version 20, 24 pins
ioapic1: misconfigured as apic 5, remapped to apid 6
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 10 (NPE1)
acpiprt2 at acpi0: bus -1 (NPE3)
acpiprt3 at acpi0: bus 9 (NPE5)
acpiprt4 at acpi0: bus 5 (NPES)
acpiprt5 at acpi0: bus 6 (SPE4)
acpiprt6 at acpi0: bus -1 (P8PC)
acpiprt7 at acpi0: bus 2 (P0P4)
acpiprt8 at acpi0: bus 3 (P0P5)
acpiprt9 at acpi0: bus 4 (P0P6)
acpicpu0 at acpi0
acpibtn0 at acpi0: PWRB
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel E5400B Host" rev 0x20
ppb0 at pci0 dev 1 function 0 "Intel E5400 PCIE" rev 0x20
pci1 at ppb0 bus 10
em0 at pci1 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06:
apic 6 int 0 (irq 10), address 00:24:81:82:6b:2c
em1 at pci1 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06:
apic 6 int 10 (irq 11), address 00:24:81:82:6b:2d
ppb1 at pci0 dev 5 function 0 "Intel E5400 PCIE" rev 0x20
pci2 at ppb1 bus 9
mpi0 at pci2 dev 0 function 0 "Symbios Logic SAS1064E" rev 0x08: apic 6
int 4 (irq 10)
scsibus0 at mpi0: 112 targets
sd0 at scsibus0 targ 3 lun 0: <LSILOGIC, Logical Volume, 3000> SCSI2
0/direct fixed
sd0: 151634MB, 512 bytes/sec, 310546432 sec total
ppb2 at pci0 dev 9 function 0 "Intel E5400 PCIE" rev 0x20
pci3 at ppb2 bus 5
ppb3 at pci3 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci4 at ppb3 bus 6
ppb4 at pci4 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci5 at ppb4 bus 7
ppb5 at pci3 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
pci6 at ppb5 bus 8
pchb1 at pci0 dev 16 function 0 "Intel E5400 FSB/Boot/Interrupt" rev
0x20
pchb2 at pci0 dev 16 function 1 "Intel E5400 FSB/Boot/Interrupt" rev
0x20
pchb3 at pci0 dev 16 function 2 "Intel E5400 FSB/Boot/Interrupt" rev
0x20
pchb4 at pci0 dev 16 function 3 "Intel E5400 FSB/Boot/Interrupt" rev
0x20
pchb5 at pci0 dev 16 function 4 "Intel E5400 FSB/Boot/Interrupt" rev
0x20
pchb6 at pci0 dev 17 function 0 "Intel E5400 Coherency Engine" rev 0x20
pchb7 at pci0 dev 21 function 0 "Intel E5400 RAS" rev 0x20
pchb8 at pci0 dev 21 function 1 "Intel E5400 RAS" rev 0x20
pchb9 at pci0 dev 22 function 0 "Intel E5400 RAS" rev 0x20
pchb10 at pci0 dev 22 function 1 "Intel E5400 RAS" rev 0x20
ppb6 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x09: apic 4 int
16 (irq 10)
pci7 at ppb6 bus 2
vga1 at pci7 dev 0 function 0 "Matrox MGA G200e (ServerEngines)" rev
0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb7 at pci0 dev 28 function 1 "Intel 6321ESB PCIE" rev 0x09: apic 4 int
17 (irq 11)
pci8 at ppb7 bus 3
bge0 at pci8 dev 0 function 0 "Broadcom BCM5722" rev 0x00, BCM5755 C0
(0xa200): apic 4 int 17 (irq 11), address 00:23:7d:5f:69:60
brgphy0 at bge0 phy 1: BCM5722 10/100/1000baseT PHY, rev. 0
ppb8 at pci0 dev 28 function 2 "Intel 6321ESB PCIE" rev 0x09: apic 4 int
18 (irq 5)
pci9 at ppb8 bus 4
bge1 at pci9 dev 0 function 0 "Broadcom BCM5722" rev 0x00, BCM5755 C0
(0xa200): apic 4 int 18 (irq 5), address 00:23:7d:5f:69:61
brgphy1 at bge1 phy 1: BCM5722 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 6321ESB USB" rev 0x09: apic 4 int
23 (irq 7)
uhci1 at pci0 dev 29 function 1 "Intel 6321ESB USB" rev 0x09: apic 4 int
19 (irq 3)
uhci2 at pci0 dev 29 function 2 "Intel 6321ESB USB" rev 0x09: apic 4 int
18 (irq 5)
uhci3 at pci0 dev 29 function 3 "Intel 6321ESB USB" rev 0x09: apic 4 int
16 (irq 10)
ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x09: apic 4 int
23 (irq 7)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb9 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd9
pci10 at ppb9 bus 1
pcib0 at pci0 dev 31 function 0 "Intel 6321ESB LPC" rev 0x09
pciide0 at pci0 dev 31 function 1 "Intel 6321ESB IDE" rev 0x09: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 "Intel 6321ESB SATA" rev 0x09: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 4 int 19 (irq 3) for native-PCI interrupt
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
kbc: cmd word write error
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
mtrr: Pentium Pro MTRR support
uhidev0 at uhub1 port 1 configuration 1 interface 0 "ServerEngines SE
USB Device" rev 1.10/0.01 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd0 at ukbd0 mux 1
wskbd0: connecting to wsdisplay0
uhidev1 at uhub1 port 1 configuration 1 interface 1 "ServerEngines SE
USB Device" rev 1.10/0.01 addr 2
uhidev1: iclass 3/1
ums0 at uhidev1: 8 buttons, Z dir
wsmouse0 at ums0 mux 0
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
