is polling still a thing?
Antoine Beaupré
anarcat at koumbit.org
Tue Jan 27 18:19:25 UTC 2015
On 2015-01-27 13:03:19, Jim Thompson wrote:
>> On Jan 27, 2015, at 11:28 AM, Antoine Beaupré <anarcat at koumbit.org> wrote:
>>
>> (Please CC, as i am not on the list.)
>>
>> I was surprised to read this article in the pfSense blog:
>>
>> https://blog.pfsense.org/?p=115 <https://blog.pfsense.org/?p=115>
>
> That article is from June 2007. It’s over seven years old. Times change.
Oh, i got confused by the last comment, which dates from 2013:
>> TLDR: "At this time, polling is not recommended at all.”
>
> There are situations which warrant polling.
>
>> Is that true? I am trying to tweak a Supermicro machine as a router to
>> survive major DDOS attacks on a 1gbps link. So far, I can't get far
>> beyond the 100kpps and 50mbps mark.
>>
>> The hardware is:
>>
>> * 2xIntel E1G44HTBLK NICs
>
> Quad port i340 PCIe Nic (igb(4) driver)
>
>> * 1xIntel 1220LV2 CPU
>
> 2 core Ivy Bridge @ 2.3GHz
>
>> More detailed specs here:
>>
>> https://wiki.koumbit.net/rtr1.koumbit.net <https://wiki.koumbit.net/rtr1.koumbit.net>
>
> Says you’re running 9.3
That is correct, we just upgraded.
> The pf in 9.3 is single-threaded.
Is that changed in later versions?
>> We are using a stateful pf firewall and polling on the network
>> interfaces. We got around 100kpps during the DDOS, with 700kpps dropped
>> (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps
>> but around 400mbps reached our port from upstream's point of view. The
>> kernel interfaces counted around 50mbps:
>>
>> https://redmine.koumbit.net/attachments/download/7706
>> https://redmine.koumbit.net/attachments/download/7707
>> https://redmine.koumbit.net/attachments/download/7708
>> https://redmine.koumbit.net/attachments/download/7709 <https://redmine.koumbit.net/attachments/download/7709>
>
> These want a login/password to access.
Ah, crap. Here:
http://shell.koumbit.net/~anarcat/ddos-snaps-2015-01-27/
>> The load on the router was fine during the DDOS, but of course packet
>> loss was endemic.
>>
>> At this point, I'm considering the following options:
>>
>> * switching to an Intel IGB nic
> You already have one.
Yeah, but the public interface is using some em driver, for some
reason. I think it may be the builtin NIC on the X9SPU-F motherboard.
>> * enabling fastforwarding
> typically a good idea.
Understood.
>> * tweak the number of IGB queues
>>
>> Any recommendations would be welcome.
>
> Have you considered FreeBSD 10.1?
Not yet. What should i expect from the upgrade? We just barely made it
to 9.3 at this point...
A.
--
Conformity-the natural instinct to passively yield to that vague something
recognized as authority.
- Mark Twain
More information about the freebsd-net
mailing list