Hello Friends ;

I have detected an issue on kernels. I have tested this problem with kernel 2.x to 4.9 on any kernel and all the results was same.

If a same source ip for ex : 185.99.22.33 start flooding packets to victim , let's say to victim B.
B's only one cpu core handling the issue. IRQ is not sending traffic to other cores.
Also i have tested this issue on :
Ubuntu 14.x
Cent os 6.x
Free bsd 7.2 and 10.x
even Juniper SRX 3600

But as far as i know mikrotik also uses kernel. But it over come the issue even it is installed on a hardware with same server :S

If you have a 24 core cpu (2x E5 2650v3) with dpdk maybe you decide that you should handle 24x 500.000 pps . In normal conditions
Voila it works .

But 2 attacker if spoof their ip addresses to one with sending udp packets from same spoofed source : 185.99.22.33

Than when it arrives 500.001 pps kernel crashes because of core stuck !

we have overcome the issue with a small script to block packet on ethernet card. But i want to know the technical cause and solution


Why dooe the irq not balancing ?
what is diffrent on mikrotik's kernel ?
Should we solve this by editing kernel to not handle on the same core from the traffics that comes from the same source ?

You may need change scheduler to balance IRQ.

It is sth. more like , it creates a session for each source than send all traffic for this session to same core.
Do you have docs. for the scheduler maybe you should be right , i will check ?

Use the tc qdisc show command. The second field is the network scheduler. The default, pfifo_fast is basically first in, first out within a priority with higher priorities always going before lower priorities.