Re: SOLVED [was: firewall is very slow, something's wrong]
* Florin Andrei <[EMAIL PROTECTED]> [2007-10-17 00:16]: > HOLY SH*T! I tried 4.2. It rocks! > > Just the first test that I tried after installing it: > - switched gigabit network > - web server behind 1:1 NATing firewall > - firewall is AMD64 X2 2.4GHz > - downloading 2GB file via HTTP through the firewall in infinite loop > - flooding the firewall with small UDP packets, random source IPs, > generated as fast as my workstation (AMD64 X2 6400, Intel Pro/1000 PCI > Express card, Linux Fedora 7, running the kernel-level "pktgen" packet > generator which is very fast) can crank them out. The packets are directed > to the NATed address of the web server, to a port that's blocked by the > firewall. > > Under these conditions, OpenBSD 4.1 as a firewall just keels over and dies. > All traffic through the firewall just stops in an instant. > Linux 2.6.18 fares slightly better, the current download finishes up, but > another one won't start. > > But the default OpenBSD 4.2 i386 uniprocessor kernel doesn't seem to care. lovely :) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: SOLVED [was: firewall is very slow, something's wrong]
Stuart Henderson wrote: On 2007/10/16 15:27, James Hartley wrote: Secondly, does anyone on the mailing list know of an OpenBSD equivalent to pktgen? Not in-kernel, but netblast from the netrate package is somewhat useful. If anybody has a same-hardware performance comparison between pktgen and netblast, please post it. I'm especially interested in generating lots of small packets, which is difficult. -- Florin Andrei http://florin.myip.org/
Re: SOLVED [was: firewall is very slow, something's wrong]
On 2007/10/16 15:27, James Hartley wrote: > On 10/16/07, Florin Andrei <[EMAIL PROTECTED]> wrote: > > - flooding the firewall with small UDP packets, random source IPs, > > generated as fast as my workstation (AMD64 X2 6400, Intel Pro/1000 PCI > > Express card, Linux Fedora 7, running the kernel-level "pktgen" packet > > generator which is very fast) can crank them out. > > First, thanks for sharing your findings. > > Secondly, does anyone on the mailing list know of an OpenBSD > equivalent to pktgen? Not in-kernel, but netblast from the netrate package is somewhat useful.
Re: SOLVED [was: firewall is very slow, something's wrong]
On 10/16/07, Florin Andrei <[EMAIL PROTECTED]> wrote: > - flooding the firewall with small UDP packets, random source IPs, > generated as fast as my workstation (AMD64 X2 6400, Intel Pro/1000 PCI > Express card, Linux Fedora 7, running the kernel-level "pktgen" packet > generator which is very fast) can crank them out. First, thanks for sharing your findings. Secondly, does anyone on the mailing list know of an OpenBSD equivalent to pktgen? Thanks. Jim
SOLVED [was: firewall is very slow, something's wrong]
Florin Andrei wrote: ## Huge performance improvements in the network stack, including: * In pf, store routing table ID, queue ID etc directly in the packet header mbuf instead of using mbuf tags (which use malloc'd memory). This yields a 100% improvement in pf performance. * Skip TCP/UDP/ICMP/ICMP6 checksumming when not necessary. This yields a further 10% improvement in pf performance. * A change in the way the kernel random pool is stirred greatly increases performance with network interface cards that support interrupt mitigation, especially on architectures where reading the clock is expensive (such as amd64). ## I'll try 4.2. HOLY SH*T! I tried 4.2. It rocks! Just the first test that I tried after installing it: - switched gigabit network - web server behind 1:1 NATing firewall - firewall is AMD64 X2 2.4GHz - downloading 2GB file via HTTP through the firewall in infinite loop - flooding the firewall with small UDP packets, random source IPs, generated as fast as my workstation (AMD64 X2 6400, Intel Pro/1000 PCI Express card, Linux Fedora 7, running the kernel-level "pktgen" packet generator which is very fast) can crank them out. The packets are directed to the NATed address of the web server, to a port that's blocked by the firewall. Under these conditions, OpenBSD 4.1 as a firewall just keels over and dies. All traffic through the firewall just stops in an instant. Linux 2.6.18 fares slightly better, the current download finishes up, but another one won't start. But the default OpenBSD 4.2 i386 uniprocessor kernel doesn't seem to care. The download just keeps going. New downloads are initiated OK through the firewall. There are even spare CPU cycles left :-) not many (10%) but still. There's a very large percentage of CPU (80...90%) used for interrupts. Good job folks, I'm impressed. Anyone building gigabit routers and firewalls, don't delay, upgrade to 4.2. Heck, do that even for 100Mbit systems, this type of DoS doesn't need much bandwidth to be effective. I'll keep doing tests. If anything interesting shows up, I'll post the results in a new thread. -- Florin Andrei http://florin.myip.org/