Date: Tue, 27 Jan 2015 12:28:46 -0500 From: Antoine =?utf-8?Q?Beaupr=C3=A9?= <anarcat@koumbit.org> To: freebsd-net@FreeBSD.org Subject: is polling still a thing? Message-ID: <871tmgceup.fsf@marcos.anarc.at>
next in thread | raw e-mail | index | archive | help
(Please CC, as i am not on the list.) I was surprised to read this article in the pfSense blog: https://blog.pfsense.org/?p=115 TLDR: "At this time, polling is not recommended at all." Is that true? I am trying to tweak a Supermicro machine as a router to survive major DDOS attacks on a 1gbps link. So far, I can't get far beyond the 100kpps and 50mbps mark. The hardware is: * 2xIntel E1G44HTBLK NICs * 1xIntel 1220LV2 CPU More detailed specs here: https://wiki.koumbit.net/rtr1.koumbit.net We are using a stateful pf firewall and polling on the network interfaces. We got around 100kpps during the DDOS, with 700kpps dropped (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps but around 400mbps reached our port from upstream's point of view. The kernel interfaces counted around 50mbps: https://redmine.koumbit.net/attachments/download/7706 https://redmine.koumbit.net/attachments/download/7707 https://redmine.koumbit.net/attachments/download/7708 https://redmine.koumbit.net/attachments/download/7709 The load on the router was fine during the DDOS, but of course packet loss was endemic. At this point, I'm considering the following options: * switching to an Intel IGB nic * enabling fastforwarding * tweak the number of IGB queues Any recommendations would be welcome. Thanks! A. -- feature, n: a documented bug | bug, n: an undocumented feature - Mario S F Ferreira <lioux@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?871tmgceup.fsf>