is polling still a thing?

Antoine Beaupré anarcat at koumbit.org
Tue Jan 27 18:19:25 UTC 2015 

On 2015-01-27 13:03:19, Jim Thompson wrote:
>> On Jan 27, 2015, at 11:28 AM, Antoine Beaupré <anarcat at koumbit.org> wrote:
>> 
>> (Please CC, as i am not on the list.)
>> 
>> I was surprised to read this article in the pfSense blog:
>> 
>> https://blog.pfsense.org/?p=115 <https://blog.pfsense.org/?p=115>
>
> That article is from June 2007.  It’s over seven years old.  Times change.

Oh, i got confused by the last comment, which dates from 2013:

>> TLDR: "At this time, polling is not recommended at all.”
>
> There are situations which warrant polling.
>
>> Is that true? I am trying to tweak a Supermicro machine as a router to
>> survive major DDOS attacks on a 1gbps link. So far, I can't get far
>> beyond the 100kpps and 50mbps mark.
>> 
>> The hardware is:
>> 
>> * 2xIntel E1G44HTBLK NICs
>
> Quad port i340 PCIe Nic (igb(4) driver)
>
>> * 1xIntel 1220LV2 CPU
>
> 2 core Ivy Bridge @ 2.3GHz
>
>> More detailed specs here:
>> 
>> https://wiki.koumbit.net/rtr1.koumbit.net <https://wiki.koumbit.net/rtr1.koumbit.net>
>
> Says you’re running 9.3

That is correct, we just upgraded.

> The pf in 9.3 is single-threaded.

Is that changed in later versions?

>> We are using a stateful pf firewall and polling on the network
>> interfaces. We got around 100kpps during the DDOS, with 700kpps dropped
>> (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps
>> but around 400mbps reached our port from upstream's point of view. The
>> kernel interfaces counted around 50mbps:
>> 
>> https://redmine.koumbit.net/attachments/download/7706
>> https://redmine.koumbit.net/attachments/download/7707
>> https://redmine.koumbit.net/attachments/download/7708
>> https://redmine.koumbit.net/attachments/download/7709 <https://redmine.koumbit.net/attachments/download/7709>
>
> These want a login/password to access.

Ah, crap. Here:

http://shell.koumbit.net/~anarcat/ddos-snaps-2015-01-27/

>> The load on the router was fine during the DDOS, but of course packet
>> loss was endemic.
>> 
>> At this point, I'm considering the following options:
>> 
>> * switching to an Intel IGB nic
> You already have one.

Yeah, but the public interface is using some em driver, for some
reason. I think it may be the builtin NIC on the X9SPU-F motherboard.

>> * enabling fastforwarding
> typically a good idea.

Understood.

>> * tweak the number of IGB queues
>> 
>> Any recommendations would be welcome.
>
> Have you considered FreeBSD 10.1?

Not yet. What should i expect from the upgrade? We just barely made it
to 9.3 at this point...

A.

-- 
Conformity-the natural instinct to passively yield to that vague something
recognized as authority.
                        - Mark Twain

More information about the freebsd-net mailing list