How does kernel handles packets?
How does kernel handles packets?
So far I came to this: network card receives a signal (packet) -> hardware interrupt handler handles it BUT if there is too many interrupts ksoftirqd starts dealing with it. Now I wonder what exactly happens. Does ksoftirqd "puts" the packet in something like queue and simply forgets about it (deals with another interrupt?). What happens if application can not handle this packet? What happens if packet has a wrong checksum? Is it dropped? When? My machine is currently being flooded with a huge number of packets, I'm receiving around 250k packets/sec, ksoftirqd (rx) goes crazy (full CPU usage) and the whole machine works badly. I wonder if application (www server) might slowly process packets and therefore slow down the whole ksoftirqd process. Is this a normal behaviour for such number of packets? I'm using Intel 82574L network card and 2.6.35.5 kernel. |
Quote:
|
Sure.
The flood comes from random spoofed IP addresses, all packets have wrong checksum, no flags, port 80. Here is a short log from tcpdump. If you need some specyfic details, let me know, I will try to post it here. Quote:
|
So basically what you've got is "-m tcp" packets with to "--dport 80" which are "! --syn" (no flags) and "--state INVALID" (checksum) and "-m ttl --ttl-eq 249" which you could ("-m limit --limit 1/second" and then) "-j REJECT" or "-j DROP". If unsure post your unabbreviated rule set (please use BB code tags or attach plain text "iptables.conf" from running 'iptables-save > /tmp/iptables.conf').
|
I got a rule to drop these packets:
iptables -A INPUT -p tcp ! --syn -m state ! --state ESTABLISHED,RELATED -j DROP Unfortunately it doesn't deal with my problem. Interrupt handler goes crazy (ksoftirqd for rx transmition) and uses the whole CPU thread (99% cpu usage) which causes connection problems, random connection loses - basically the whole machine becomes unstable. I'm not sure if I can block these kind of attack on server-level. Since ksoftirqd eats the whole CPU thread I was even considering disabling Hyper Threading in bios to get additional CPU power for ksoftirqd process. Maybe there is a way to somehow tweak ksoftirqd or tweak network driver (to somehow drop such "bad packets" as soon as possible?). I found an interesting post about Facebook and their memcached servers, where they were struggling similar problem. Unfortunately, I don't really understand how they dealt with it... http://www.facebook.com/note.php?note_id=39391378919 Quote:
|
Quote:
Quote:
Is your Intel 82574L network card swappable for another card for you to test? Does /proc/interrupts show any other devices with high counts? In some cases unloading unneeded kernel modules could help. Tried that? (BTW, while old, this might describe what you're seeing in a slightly easier to read way.) |
All times are GMT -5. The time now is 04:38 PM. |