From owner-freebsd-net@FreeBSD.ORG Tue Jan 27 18:19:24 2015 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E30B1811 for ; Tue, 27 Jan 2015 18:19:24 +0000 (UTC) Received: from marcos.anarc.at (mail.orangeseeds.org [72.0.72.144]) by mx1.freebsd.org (Postfix) with ESMTP id 720F8BD for ; Tue, 27 Jan 2015 18:19:24 +0000 (UTC) Received: by marcos.anarc.at (Postfix, from userid 1000) id BADE91A006C; Tue, 27 Jan 2015 13:19:21 -0500 (EST) From: Antoine =?utf-8?Q?Beaupr=C3=A9?= To: Jim Thompson Subject: Re: is polling still a thing? In-Reply-To: References: <871tmgceup.fsf@marcos.anarc.at> User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) Date: Tue, 27 Jan 2015 13:19:21 -0500 Message-ID: <87vbjsaxxy.fsf@marcos.anarc.at> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@FreeBSD.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 18:19:25 -0000 On 2015-01-27 13:03:19, Jim Thompson wrote: >> On Jan 27, 2015, at 11:28 AM, Antoine Beaupr=C3=A9 = wrote: >>=20 >> (Please CC, as i am not on the list.) >>=20 >> I was surprised to read this article in the pfSense blog: >>=20 >> https://blog.pfsense.org/?p=3D115 > > That article is from June 2007. It=E2=80=99s over seven years old. Time= s change. Oh, i got confused by the last comment, which dates from 2013: >> TLDR: "At this time, polling is not recommended at all.=E2=80=9D > > There are situations which warrant polling. > >> Is that true? I am trying to tweak a Supermicro machine as a router to >> survive major DDOS attacks on a 1gbps link. So far, I can't get far >> beyond the 100kpps and 50mbps mark. >>=20 >> The hardware is: >>=20 >> * 2xIntel E1G44HTBLK NICs > > Quad port i340 PCIe Nic (igb(4) driver) > >> * 1xIntel 1220LV2 CPU > > 2 core Ivy Bridge @ 2.3GHz > >> More detailed specs here: >>=20 >> https://wiki.koumbit.net/rtr1.koumbit.net > > Says you=E2=80=99re running 9.3 That is correct, we just upgraded. > The pf in 9.3 is single-threaded. Is that changed in later versions? >> We are using a stateful pf firewall and polling on the network >> interfaces. We got around 100kpps during the DDOS, with 700kpps dropped >> (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps >> but around 400mbps reached our port from upstream's point of view. The >> kernel interfaces counted around 50mbps: >>=20 >> https://redmine.koumbit.net/attachments/download/7706 >> https://redmine.koumbit.net/attachments/download/7707 >> https://redmine.koumbit.net/attachments/download/7708 >> https://redmine.koumbit.net/attachments/download/7709 > > These want a login/password to access. Ah, crap. Here: http://shell.koumbit.net/~anarcat/ddos-snaps-2015-01-27/ >> The load on the router was fine during the DDOS, but of course packet >> loss was endemic. >>=20 >> At this point, I'm considering the following options: >>=20 >> * switching to an Intel IGB nic > You already have one. Yeah, but the public interface is using some em driver, for some reason. I think it may be the builtin NIC on the X9SPU-F motherboard. >> * enabling fastforwarding > typically a good idea. Understood. >> * tweak the number of IGB queues >>=20 >> Any recommendations would be welcome. > > Have you considered FreeBSD 10.1? Not yet. What should i expect from the upgrade? We just barely made it to 9.3 at this point... A. --=20 Conformity-the natural instinct to passively yield to that vague something recognized as authority. - Mark Twain