From owner-freebsd-net@FreeBSD.ORG Wed Jan 14 12:15:51 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D99D16A4CE for ; Wed, 14 Jan 2004 12:15:51 -0800 (PST) Received: from diaspar.rdsnet.ro (diaspar.rdsnet.ro [213.157.165.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30D7D43D58 for ; Wed, 14 Jan 2004 12:15:36 -0800 (PST) (envelope-from dudu@diaspar.rdsnet.ro) Received: (qmail 76686 invoked by uid 89); 14 Jan 2004 20:15:32 -0000 Received: from unknown (HELO diaspar.rdsnet.ro) (dudu@diaspar.rdsnet.ro@213.157.165.224) by 0 with AES256-SHA encrypted SMTP; 14 Jan 2004 20:15:32 -0000 Date: Wed, 14 Jan 2004 22:15:31 +0200 From: Vlad Galu To: freebsd-net@freebsd.org Message-Id: <20040114221531.74b20ebe.dudu@diaspar.rdsnet.ro> In-Reply-To: References: X-Mailer: Sylpheed version 0.9.8a (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Wed__14_Jan_2004_22_15_31_+0200_xQrG6zASYgWPm6Lj" Subject: Re: Handling 100.000 packets/sec or more X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 20:15:51 -0000 --Signature=_Wed__14_Jan_2004_22_15_31_+0200_xQrG6zASYgWPm6Lj Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit Adrian Penisoara writes: |Hi, | | At one site that I administer we have a gateway server which services |a large SOHO LAN (more than 300 stations) and I'm facing a serious |issue: very often we see strong spoofed floods (variable source IP and |port, variable destination IP, destination port 80) which can go as far |as 100 000 packets/sec! | | Of course, the server (FreeBSD 5.2-REL, PIII 733Mhz, 256Mb RAM, 3COM |3C905B-TX aka xl0 with checksum offloading support) has a hard time |swallowing this kind of traffic. The main issue are the IRQ interrupts: |over 15000 interrupts/sec which consume more than 90% of the CPU time. |We got ingress filtering so the packets go no further than the firewall |(which, BTW, is not the issue, even disabling it it's the same |problem). The system is still responsive but the load average goes as |high as 10 and the interface is losing packets (input errors) which |dramatically affects legitimate traffic, besides mbuf(9) starvation. We |are taking down the culprit clients, but this takes time and we need |the other clients not to be affected by it. | | What can I do to make the system better handle this kind of traffic ? |Could device polling(8) or just increasing the kernel frequency clock |to 1000Hz or more improve the situation ? | What kind of network cards could face a lot better this burden ? Are |there any other solutions ? | Try fxp. It has better polling support, and there's the advantage of the link0 flag. When it's set, the interface won't send interrupts to the kernel for each packet it catches from the wire, but instead will wait until its own buffer is full, and generate an interrupt afterwards. It should be a great deal of improvement when asociated with device polling. As you surely know, when the kernel receives an interrupt from an interface, it masks all further interrupts and schedules a polling task instead. In matters of hardware improvements, I can only think of upgrading to a system board with a higher bandwidth between the south and the north bridges, and of course, using a CPU that has a higher clock rate. | On a side note: what would be a adequate formula to calculate the |NMBCLUSTERS and MBUFS we should set on this server (via boot-time |kern.ipc.nmbclusters and kern.ipc.nmbufs) ? | I'm still thinking about that ... | Thank you. | |-- |Adrian Penisoara |Ady (@freebsd.ady.ro) | |_______________________________________________ |freebsd-net@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-net |To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" | ---- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. --Signature=_Wed__14_Jan_2004_22_15_31_+0200_xQrG6zASYgWPm6Lj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFABaNjP5WtpVOrzpcRAhRmAJ9q4hQ9upN/eO3OyvnwA2JJOtg9ZACggzDl dRHOQDb7FL9tXF+ynbUmEDY= =4/2X -----END PGP SIGNATURE----- --Signature=_Wed__14_Jan_2004_22_15_31_+0200_xQrG6zASYgWPm6Lj--