From: Alex Flex <aflexzor@gmail.com>
To: netfilter@vger.kernel.org
Subject: SynFloods and CPU usage with and without iptables. Confused!
Date: Sat, 04 May 2013 11:15:30 -0600 [thread overview]
Message-ID: <51854232.1030306@gmail.com> (raw)
Hello Netfilter,
Ive been receiving lately two types of syn floods on an Intel Xeon
2.4ghz + 4GB machine exclusively dedicated for this and the findings
have me very confused:
I have syn cookies enabled and checked to be working as per syslog.
This machine has a 10gigabit uplink so I know that networking isnt a
bottleneck here (bandwith or router hardware based).
SCENARIO 1: the first attack was: 105mbits @ 330,000 pps and it brought
the machine to 100% CPU usage and over 50% packetloss Load average 12.
At that time it had a simple iptables script that that had less then 5
blacklists of port 80 ips and then a ACCEPT On port 80, nothing fancy. I
disabled iptables and load average went down immediately to 8 but there
was still high packet loss so basically we where DoSed efficiently.
SCENARIO 2: After that the attacker sent only a 30mbit synflood @ 70,000
pps .. Now i had less packet loss, and interestingly with iptables
enabled it would create almost immediate packetloss. At this time I
tried to explore installing conntrack-tools information about the state
table. conntrack said that with iptables enabled and syncookies the
maximum entries where 1300 ONLY... and a CPU usage reported by HTOP of
40% on SI. After that I decided to drop iptables all together and
immediately port 80 started flowing with normal traffic (we have less
than 1mbit clean traffic) . No packetloss was present, because iptables
was disabled conntrack did not report any entries and netstat-na |wc -l
reported less than 300.
Questions:
a.) Can anybody suggest why there is so much CPU overhead when iptables
is turned on and dealing with such PPS? Is this normal? Usually what CPU
usage does a syn flood cookie enabled take?
b.) Is there a chance that the attacker exausted something else iam not
seeing?
Thanks for the help guys
Alex
next reply other threads:[~2013-05-04 17:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-04 17:15 Alex Flex [this message]
[not found] ` <27F4C2E78FB64527A44CA6E3BC368315@gmail.com>
[not found] ` <7668B4D1FBE84D73BC3BFBFCAFCBEC1F@gmail.com>
2013-05-04 18:42 ` SynFloods and CPU usage with and without iptables. Confused! Alex Flex
2013-05-04 18:45 ` Alex Flex
[not found] ` <417A64583B334DA0B8977D49C5A09DEE@gmail.com>
2013-05-04 20:41 ` Alex Flex
2013-05-04 21:01 ` Jozsef Kadlecsik
-- strict thread matches above, loose matches on Subject: below --
2013-05-04 17:24 Alex Flex
2013-05-04 21:39 ` hdemir
2013-05-04 22:07 ` Steve Kann
2013-05-05 1:27 ` Alex Flex
2013-05-05 1:34 ` Steve Kann
2013-05-05 2:01 ` Alex Flex
2013-05-05 1:29 ` Alex Flex
2013-05-06 11:27 ` Husnu Demir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51854232.1030306@gmail.com \
--to=aflexzor@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox