On Fri, 15 Oct 2004 13:04:22 +0100 (BST), S Iremonger <exxsi@bath.ac.uk> wrote: > >the external interface was > >seeing about 600,000 pps at ~350Mbit/sec. The link is 1Gb, so it > > You may want some kind of simpler non-contracking machine infront, > that has a simpler stateless firewall configuration on it... -- > Maybe 'syncookies firewall' on that machine too.... Possibly, yeah. I guess it depends on if it can keep up with the traffic. > If you give me more information on what the ddos traffic actually IS, > I can give you more input on how you may combat it ;-). > [and, MORE INFORMATION on wat connections go out or in via this routing > interface]... Right. It's an Intel 7502 board, dual on board Gig, and a a couple of Gig cards in the PCI-X slots. All are the newer kind with interrupt coalescing, but that doesn't matter much with 2.6 and NAPI. One kernel was 2.4.20-... redhat kernel (got up to 600K pps, but was essentially dead at 200K) and another kernel was 2.6.8.1 with NAPI, which still kept passing reasonable traffic (3-400Mb legitimate outbound traffic) until the pps load hit ~290K. It was a Syn flood, so the easy answer here is to let it through and let the target hosts deal with it directly. I'm not seeking an easy answer, but am wondering what kind of pps limit people think is reasonable to expect. i.e. is there any hope of me using some kind of linux box to protect a 1Gb internet link. The current one does fine unless under duress. Putting another box in front is not a problem. Even an IPVS box that spreads the load across a bank of other routers which then do conntrack and iptables... Should 1.5M pps be possible, has someone done it? - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
