I've recently been testing how the 2.6 kernel can handle various
DDOS attacks while being a router and have come across a strange problem.
Machine 1:
2.4GHz P4
Intel S845WD1 Motherboard (32bit PCI Bus)
512MB RAM
Machine 2:
4x500MHz P3 Xeon
512MB RAM
Compaq Proliant 6400 (64bit PCI Bus)
Machine 1 completely freezes while being ddos'ed by 3 machines on a
test network with mstream (TCP ACKs), every once in a while top will
show that 100% of the cpu is being used for interrupts. Routing is
completely
stopped.
Machine 2 doesn't see any load at all while being ddos'ed, doing a
tcpdump shows the first of the TCP ACK packets, all the rest are like
they are completely ignored. Other traffic is routed fine though during
the ddos. The only thing that changes is the ping time is 2ms more
during the ddos than without.
Both machines were tested with the exact same NIC cards, they are
dual port 32/64bit Intel Etherexpress pro cards capable of 4 total ports
with an addon module. During the testing the only option different in
the kernel was SMP. I've tested R1 compiled for P4 and for P3 with the
same results. I've also tried increasing the packets/interrupt option on
the eepro100 module but that doesn't affect it either. The tests were
done with kernel v2.6. using iptables both with and without the
following rule to filter the ddos:
iptables -t mangle -A PREROUTING -p tcp ! --syn -m state --state NEW -J
DROP
It helped Machine 1 alittle with cpu usage and most of the packets were
caught in the iptables counter, but on Machine 2 almost none were caught
by the rule.
Any help or sugguestions anyone could provide for why Machine 2
ignores the flood and why Machine 1 stops completely would be much
appreciated.
Thanks for your time,
-Mike
|
Similar Threads
Linear Mode
