Have you consider to use netmap-based ipfw instead pf in DDoS mitigation? I think you should. And without any network ''haks'' like polling.
Cheers, Vitaly --- Original Message --- From: "Antoine Beaupré" Date: 27 January 2015, 19:28:55 > (Please CC, as i am not on the list.) > > I was surprised to read this article in the pfSense blog: > > https://blog.pfsense.org/?p=115 > > TLDR: "At this time, polling is not recommended at all." > > Is that true? I am trying to tweak a Supermicro machine as a router to > survive major DDOS attacks on a 1gbps link. So far, I can't get far > beyond the 100kpps and 50mbps mark. > > The hardware is: > > * 2xIntel E1G44HTBLK NICs > * 1xIntel 1220LV2 CPU > > More detailed specs here: > > https://wiki.koumbit.net/rtr1.koumbit.net > > We are using a stateful pf firewall and polling on the network > interfaces. We got around 100kpps during the DDOS, with 700kpps dropped > (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps > but around 400mbps reached our port from upstream's point of view. The > kernel interfaces counted around 50mbps: > > https://redmine.koumbit.net/attachments/download/7706 > https://redmine.koumbit.net/attachments/download/7707 > https://redmine.koumbit.net/attachments/download/7708 > https://redmine.koumbit.net/attachments/download/7709 > > The load on the router was fine during the DDOS, but of course packet > loss was endemic. > > At this point, I'm considering the following options: > > * switching to an Intel IGB nic > * enabling fastforwarding > * tweak the number of IGB queues > > Any recommendations would be welcome. > > Thanks! > > A. > > -- > feature, n: a documented bug | bug, n: an undocumented feature > - Mario S F Ferreira > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
