is polling still a thing?
Antoine Beaupré
anarcat at koumbit.org
Tue Jan 27 17:28:51 UTC 2015
(Please CC, as i am not on the list.)
I was surprised to read this article in the pfSense blog:
https://blog.pfsense.org/?p=115
TLDR: "At this time, polling is not recommended at all."
Is that true? I am trying to tweak a Supermicro machine as a router to
survive major DDOS attacks on a 1gbps link. So far, I can't get far
beyond the 100kpps and 50mbps mark.
The hardware is:
* 2xIntel E1G44HTBLK NICs
* 1xIntel 1220LV2 CPU
More detailed specs here:
https://wiki.koumbit.net/rtr1.koumbit.net
We are using a stateful pf firewall and polling on the network
interfaces. We got around 100kpps during the DDOS, with 700kpps dropped
(or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps
but around 400mbps reached our port from upstream's point of view. The
kernel interfaces counted around 50mbps:
https://redmine.koumbit.net/attachments/download/7706
https://redmine.koumbit.net/attachments/download/7707
https://redmine.koumbit.net/attachments/download/7708
https://redmine.koumbit.net/attachments/download/7709
The load on the router was fine during the DDOS, but of course packet
loss was endemic.
At this point, I'm considering the following options:
* switching to an Intel IGB nic
* enabling fastforwarding
* tweak the number of IGB queues
Any recommendations would be welcome.
Thanks!
A.
--
feature, n: a documented bug | bug, n: an undocumented feature
- Mario S F Ferreira <lioux at FreeBSD.org>
More information about the freebsd-net
mailing list