Date: Tue, 27 Jan 2015 13:19:21 -0500 From: Antoine =?utf-8?Q?Beaupr=C3=A9?= <anarcat@koumbit.org> To: Jim Thompson <jim@netgate.com> Cc: freebsd-net@FreeBSD.org Subject: Re: is polling still a thing? Message-ID: <87vbjsaxxy.fsf@marcos.anarc.at> In-Reply-To: <A32D80F3-9D34-4136-A870-B28582F6EAA0@netgate.com> References: <871tmgceup.fsf@marcos.anarc.at> <A32D80F3-9D34-4136-A870-B28582F6EAA0@netgate.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-01-27 13:03:19, Jim Thompson wrote: >> On Jan 27, 2015, at 11:28 AM, Antoine Beaupr=C3=A9 <anarcat@koumbit.org>= wrote: >>=20 >> (Please CC, as i am not on the list.) >>=20 >> I was surprised to read this article in the pfSense blog: >>=20 >> https://blog.pfsense.org/?p=3D115 <https://blog.pfsense.org/?p=3D115> > > That article is from June 2007. It=E2=80=99s over seven years old. Time= s change. Oh, i got confused by the last comment, which dates from 2013: >> TLDR: "At this time, polling is not recommended at all.=E2=80=9D > > There are situations which warrant polling. > >> Is that true? I am trying to tweak a Supermicro machine as a router to >> survive major DDOS attacks on a 1gbps link. So far, I can't get far >> beyond the 100kpps and 50mbps mark. >>=20 >> The hardware is: >>=20 >> * 2xIntel E1G44HTBLK NICs > > Quad port i340 PCIe Nic (igb(4) driver) > >> * 1xIntel 1220LV2 CPU > > 2 core Ivy Bridge @ 2.3GHz > >> More detailed specs here: >>=20 >> https://wiki.koumbit.net/rtr1.koumbit.net <https://wiki.koumbit.net/rtr1= .koumbit.net> > > Says you=E2=80=99re running 9.3 That is correct, we just upgraded. > The pf in 9.3 is single-threaded. Is that changed in later versions? >> We are using a stateful pf firewall and polling on the network >> interfaces. We got around 100kpps during the DDOS, with 700kpps dropped >> (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps >> but around 400mbps reached our port from upstream's point of view. The >> kernel interfaces counted around 50mbps: >>=20 >> https://redmine.koumbit.net/attachments/download/7706 >> https://redmine.koumbit.net/attachments/download/7707 >> https://redmine.koumbit.net/attachments/download/7708 >> https://redmine.koumbit.net/attachments/download/7709 <https://redmine.k= oumbit.net/attachments/download/7709> > > These want a login/password to access. Ah, crap. Here: http://shell.koumbit.net/~anarcat/ddos-snaps-2015-01-27/ >> The load on the router was fine during the DDOS, but of course packet >> loss was endemic. >>=20 >> At this point, I'm considering the following options: >>=20 >> * switching to an Intel IGB nic > You already have one. Yeah, but the public interface is using some em driver, for some reason. I think it may be the builtin NIC on the X9SPU-F motherboard. >> * enabling fastforwarding > typically a good idea. Understood. >> * tweak the number of IGB queues >>=20 >> Any recommendations would be welcome. > > Have you considered FreeBSD 10.1? Not yet. What should i expect from the upgrade? We just barely made it to 9.3 at this point... A. --=20 Conformity-the natural instinct to passively yield to that vague something recognized as authority. - Mark Twain
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87vbjsaxxy.fsf>