[nycbug-talk] Some DoS benchmarking
alex at pilosoft.com
Sat Mar 19 01:27:19 EST 2005
On Sat, 19 Mar 2005, Charles Sprickman wrote:
> This thread has the site owner/admin musing over how to improve it.
> Needless to say the 3 BSD guys there didn't say "dude, drop linux and go
> to BSD", but we did all do some testing. I'm "sporkme". That
> "eatmeingreek" guy seems pretty clever... :)
They are clueless.
> As you can see down the line I eventually wrangled some decent hardware
> and it performed great. I'm a bit stuck as far as getting the *senders*
> to generate more than 130,000 pps and 65Mb/s. At one point I had one
For senders, use linux and pktgen module.
> dual 2.8 Xeon, one dual 2.0 Xeon and one dual 1.0 PIII box hitting it.
> The receiving box was totally responsive (running 4.11, BTW) and was
> only spending about 8% of the CPU servicing interrupts, and that's
> WITHOUT polling enabled in the kernel. Pretty impressive. I'm
> wondering if my little backend switch (I used the internal network for
> this) is the bottleneck?
130kpps ain't squat. It isn't even a 'ddos' in my book. :)
I've been ddos'd with 5Mpps. I was able to route the traffic up to 1Mpps,
filter and route 'clean' traffic up to 2Mpps.
You really want polling. Really. Also, you need to be able to *filter*
traffic somehow so it doesn't all hit apache, to distinguish ddos from
non-ddos. There are many ways to do that, such as serving redirects with
cookies etc. These are non-trivial.
> Thoughts? Observations? Hints on tuning polling (Hz value) if this
> were a real-world DDoS and I wanted to make sure I'm not wasting cycles
> processing garbage?
real-world ddos is measured in mpps, not kpps.
More information about the talk