From: Eric Dumazet <eric.dumazet@gmail.com>
To: Jesper Dangaard Brouer <hawk@diku.dk>
Cc: paulmck@linux.vnet.ibm.com, Patrick McHardy <kaber@trash.net>,
Changli Gao <xiaosuo@gmail.com>,
hawk@comx.dk,
Linux Kernel Network Hackers <netdev@vger.kernel.org>,
Netfilter Developers <netfilter-devel@vger.kernel.org>
Subject: Re: DDoS attack causing bad effect on conntrack searches
Date: Fri, 23 Apr 2010 22:57:17 +0200 [thread overview]
Message-ID: <1272056237.4599.7.camel@edumazet-laptop> (raw)
In-Reply-To: <Pine.LNX.4.64.1004222213290.10919@ask.diku.dk>
Le jeudi 22 avril 2010 à 22:38 +0200, Jesper Dangaard Brouer a écrit :
>
> I think its plausable, there is a lot of modification going on.
> Approx 40.000 deletes/sec and 40.000 inserts/sec.
> The hash bucket size is 300032, and with 80000 modifications/sec, we are
> (potentially) changing 26.6% of the hash chains each second.
>
> As can be seen from the graphs:
> http://people.netfilter.org/hawk/DDoS/2010-04-12__001/list.html
>
> Notice that primarily CPU2 is doing the 40k deletes/sec, while CPU1 is
> caught searching...
>
>
> > maybe hash table has one slot :)
>
> Guess I have to reproduce the DoS attack in a testlab (I will first have
> time Tuesday). So we can determine if its bad hashing or restart of the
> search loop.
>
>
> The traffic pattern was fairly simple:
>
> 200 bytes UDP packets, comming from approx 60 source IPs, going to one
> destination IP. The UDP destination port number was varied in the range
> of 1 to 6000. The source UDP port was varied a bit more, some ranging
> from 32768 to 61000, and some from 1028 to 5000.
>
>
Re-reading this, I am not sure there is a real problem on RCU as you
pointed out.
With 800.000 entries, in a 300.032 buckets hash table, each lookup hit
about 3 entries (aka searches in conntrack stats)
300.000 packets/second -> 900.000 'searches' per second.
If you have four cpus all trying to insert/delete entries in //, they
all hit the central conntrack lock.
On a DDOS scenario, every packet needs to take this lock twice,
once to free an old conntrack (early drop), once to insert a new entry.
To scale this, only way would be to have an array of locks, like we have
for TCP/UDP hash tables.
I did some tests here, with a multiqueue card, flooded with 300.000
pack/second, 65.536 source IP, millions of flows, and nothing wrong
happened (but packets drops, of course)
My two cpus were busy 100%, after tweaking smp_affinities, because on
first try, irqbalance put "01" mask on both queues, so only one ksoftirq
was working, other cpu was idle :(
next prev parent reply other threads:[~2010-04-23 20:57 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-22 12:58 DDoS attack causing bad effect on conntrack searches Jesper Dangaard Brouer
2010-04-22 13:13 ` Changli Gao
2010-04-22 13:17 ` Patrick McHardy
2010-04-22 14:36 ` Eric Dumazet
2010-04-22 14:53 ` Eric Dumazet
2010-04-22 15:51 ` Paul E. McKenney
2010-04-22 16:02 ` Eric Dumazet
2010-04-22 16:34 ` Paul E. McKenney
2010-04-22 20:38 ` Jesper Dangaard Brouer
2010-04-22 21:03 ` Eric Dumazet
2010-04-22 21:14 ` Eric Dumazet
2010-04-22 23:44 ` David Miller
2010-04-23 5:44 ` Eric Dumazet
2010-04-23 8:13 ` David Miller
2010-04-23 8:18 ` David Miller
2010-04-23 8:40 ` Jesper Dangaard Brouer
2010-04-23 10:36 ` Patrick McHardy
2010-04-23 11:06 ` Eric Dumazet
2010-04-22 21:28 ` Jesper Dangaard Brouer
2010-04-23 7:23 ` Jan Engelhardt
2010-04-23 7:46 ` Eric Dumazet
2010-04-23 7:55 ` Jan Engelhardt
2010-04-23 9:23 ` Eric Dumazet
2010-04-23 10:55 ` Patrick McHardy
2010-04-23 11:05 ` Eric Dumazet
2010-04-23 11:06 ` Patrick McHardy
2010-04-23 20:57 ` Eric Dumazet [this message]
2010-04-24 11:11 ` Jesper Dangaard Brouer
2010-04-24 20:11 ` Eric Dumazet
2010-04-26 14:36 ` Jesper Dangaard Brouer
2010-05-31 21:21 ` Eric Dumazet
2010-06-01 0:28 ` Changli Gao
2010-06-01 5:05 ` Eric Dumazet
2010-06-01 5:48 ` Changli Gao
2010-06-01 10:18 ` Patrick McHardy
2010-06-01 10:31 ` Eric Dumazet
2010-06-01 10:41 ` Patrick McHardy
2010-06-01 16:20 ` [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untracked Eric Dumazet
2010-06-04 11:40 ` Patrick McHardy
2010-06-04 12:10 ` Changli Gao
2010-06-04 12:29 ` Patrick McHardy
2010-06-04 12:36 ` Eric Dumazet
2010-06-04 16:25 ` [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit Eric Dumazet
2010-06-04 20:15 ` [PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking Eric Dumazet
2010-06-08 14:29 ` Patrick McHardy
2010-06-08 14:52 ` Eric Dumazet
2010-06-08 15:12 ` Eric Dumazet
2010-06-09 12:45 ` Patrick McHardy
2010-06-08 14:12 ` [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit Patrick McHardy
2010-04-23 10:56 ` DDoS attack causing bad effect on conntrack searches Patrick McHardy
2010-04-23 12:45 ` Jesper Dangaard Brouer
2010-04-23 13:57 ` Patrick McHardy
2010-04-22 13:31 ` Jesper Dangaard Brouer
2010-04-23 10:35 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1272056237.4599.7.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=hawk@comx.dk \
--cc=hawk@diku.dk \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=xiaosuo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox