(Please CC, as i am not on the list.) I was surprised to read this article in the pfSense blog:
https://blog.pfsense.org/?p=115 TLDR: "At this time, polling is not recommended at all." Is that true? I am trying to tweak a Supermicro machine as a router to survive major DDOS attacks on a 1gbps link. So far, I can't get far beyond the 100kpps and 50mbps mark. The hardware is: * 2xIntel E1G44HTBLK NICs * 1xIntel 1220LV2 CPU More detailed specs here: https://wiki.koumbit.net/rtr1.koumbit.net We are using a stateful pf firewall and polling on the network interfaces. We got around 100kpps during the DDOS, with 700kpps dropped (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps but around 400mbps reached our port from upstream's point of view. The kernel interfaces counted around 50mbps: https://redmine.koumbit.net/attachments/download/7706 https://redmine.koumbit.net/attachments/download/7707 https://redmine.koumbit.net/attachments/download/7708 https://redmine.koumbit.net/attachments/download/7709 The load on the router was fine during the DDOS, but of course packet loss was endemic. At this point, I'm considering the following options: * switching to an Intel IGB nic * enabling fastforwarding * tweak the number of IGB queues Any recommendations would be welcome. Thanks! A. -- feature, n: a documented bug | bug, n: an undocumented feature - Mario S F Ferreira <li...@freebsd.org> _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
