From: Alex Flex <aflexzor@gmail.com>
To: netfilter@vger.kernel.org
Subject: SynFloods and CPU usage with and without iptables. Confused!
Date: Sat, 04 May 2013 11:15:30 -0600 [thread overview]
Message-ID: <51854232.1030306@gmail.com> (raw)
Hello Netfilter,
Ive been receiving lately two types of syn floods on an Intel Xeon
2.4ghz + 4GB machine exclusively dedicated for this and the findings
have me very confused:
I have syn cookies enabled and checked to be working as per syslog.
This machine has a 10gigabit uplink so I know that networking isnt a
bottleneck here (bandwith or router hardware based).
SCENARIO 1: the first attack was: 105mbits @ 330,000 pps and it brought
the machine to 100% CPU usage and over 50% packetloss Load average 12.
At that time it had a simple iptables script that that had less then 5
blacklists of port 80 ips and then a ACCEPT On port 80, nothing fancy. I
disabled iptables and load average went down immediately to 8 but there
was still high packet loss so basically we where DoSed efficiently.
SCENARIO 2: After that the attacker sent only a 30mbit synflood @ 70,000
pps .. Now i had less packet loss, and interestingly with iptables
enabled it would create almost immediate packetloss. At this time I
tried to explore installing conntrack-tools information about the state
table. conntrack said that with iptables enabled and syncookies the
maximum entries where 1300 ONLY... and a CPU usage reported by HTOP of
40% on SI. After that I decided to drop iptables all together and
immediately port 80 started flowing with normal traffic (we have less
than 1mbit clean traffic) . No packetloss was present, because iptables
was disabled conntrack did not report any entries and netstat-na |wc -l
reported less than 300.
Questions:
a.) Can anybody suggest why there is so much CPU overhead when iptables
is turned on and dealing with such PPS? Is this normal? Usually what CPU
usage does a syn flood cookie enabled take?
b.) Is there a chance that the attacker exausted something else iam not
seeing?
Thanks for the help guys
Alex
next reply other threads:[~2013-05-04 17:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-04 17:15 Alex Flex [this message]
[not found] ` <27F4C2E78FB64527A44CA6E3BC368315@gmail.com>
[not found] ` <7668B4D1FBE84D73BC3BFBFCAFCBEC1F@gmail.com>
2013-05-04 18:42 ` SynFloods and CPU usage with and without iptables. Confused! Alex Flex
2013-05-04 18:45 ` Alex Flex
[not found] ` <417A64583B334DA0B8977D49C5A09DEE@gmail.com>
2013-05-04 20:41 ` Alex Flex
2013-05-04 21:01 ` Jozsef Kadlecsik
-- strict thread matches above, loose matches on Subject: below --
2013-05-04 17:24 Alex Flex
2013-05-04 21:39 ` hdemir
2013-05-04 22:07 ` Steve Kann
2013-05-05 1:27 ` Alex Flex
2013-05-05 1:34 ` Steve Kann
2013-05-05 2:01 ` Alex Flex
2013-05-05 1:29 ` Alex Flex
2013-05-06 11:27 ` Husnu Demir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51854232.1030306@gmail.com \
--to=aflexzor@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.