[nycbug-talk] Some DoS benchmarking

[alex at pilosoft.com]

On Sat, 19 Mar 2005, Charles Sprickman wrote:

> This thread has the site owner/admin musing over how to improve it.  
> Needless to say the 3 BSD guys there didn't say "dude, drop linux and go
> to BSD", but we did all do some testing.  I'm "sporkme".  That
> "eatmeingreek" guy seems pretty clever... :)
They are clueless.

> As you can see down the line I eventually wrangled some decent hardware
> and it performed great.  I'm a bit stuck as far as getting the *senders*
> to generate more than 130,000 pps and 65Mb/s.  At one point I had one
For senders, use linux and pktgen module.

> dual 2.8 Xeon, one dual 2.0 Xeon and one dual 1.0 PIII box hitting it.  
> The receiving box was totally responsive (running 4.11, BTW) and was
> only spending about 8% of the CPU servicing interrupts, and that's
> WITHOUT polling enabled in the kernel.  Pretty impressive.  I'm
> wondering if my little backend switch (I used the internal network for
> this) is the bottleneck?
130kpps ain't squat. It isn't even a 'ddos' in my book. :)

I've been ddos'd with 5Mpps. I was able to route the traffic up to 1Mpps,
filter and route 'clean' traffic up to 2Mpps.

You really want polling. Really. Also, you need to be able to *filter* 
traffic somehow so it doesn't all hit apache, to distinguish ddos from 
non-ddos. There are many ways to do that, such as serving redirects with 
cookies etc. These are non-trivial.

> Thoughts?  Observations?  Hints on tuning polling (Hz value) if this
> were a real-world DDoS and I wanted to make sure I'm not wasting cycles
> processing garbage?
real-world ddos is measured in mpps, not kpps.

-alex