[nycbug-talk] Some DoS benchmarking

Charles Sprickman spork
Sat Mar 19 00:23:23 EST 2005

Hey all,

I don't know if anyone here reads the forums on DSLReports at all, but I 
stop by there now and then mostly for their Mac forum and to vent 
frustrations on the political boards.  They have a unix forum, but it's 
mostly linux noobs asking about "Dropline Gnome", "Ubuntu" and many other 
things that make little sense to me.

Anyhow, the site was recently DDoS'd and the frontend box couldn't handle 
it.  Their upstream apparently was able to squash some of it so that it 
wasn't a bandwidth DoS, but the Linux 2.4.? kernel was spending an 
inordinate amount of time servicing interrupts from the network card.

This thread has the site owner/admin musing over how to improve it. 
Needless to say the 3 BSD guys there didn't say "dude, drop linux and go 
to BSD", but we did all do some testing.  I'm "sporkme".  That 
"eatmeingreek" guy seems pretty clever... :)

As you can see down the line I eventually wrangled some decent hardware 
and it performed great.  I'm a bit stuck as far as getting the *senders* 
to generate more than 130,000 pps and 65Mb/s.  At one point I had one dual 
2.8 Xeon, one dual 2.0 Xeon and one dual 1.0 PIII box hitting it.  The 
receiving box was totally responsive (running 4.11, BTW) and was only 
spending about 8% of the CPU servicing interrupts, and that's WITHOUT 
polling enabled in the kernel.  Pretty impressive.  I'm wondering if my 
little backend switch (I used the internal network for this) is the 

Thoughts?  Observations?  Hints on tuning polling (Hz value) if this were 
a real-world DDoS and I wanted to make sure I'm not wasting cycles 
processing garbage?




Charles Sprickman
Bway.net - New York's Best Internet - www.bway.net
spork at bway.net - 212.655.9344

More information about the talk mailing list