Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues

From: Justin Robertson <justin@xxxxxxxxxx>
Date: Thu, 15 Feb 2007 13:29:53 -0800

Send a flood of 60 byte syn packets with the tcp sack option thru it and check out what happens. It's pretty weird and I can't explain why. If you block the packets on the box via ipfw it's fine, the second it has to make a routing decision everything goes out the window, it seems. There's 100% packet loss on all protocols. I'm not using NAT, there are real IPs in different C classes on the other side of the box.

Freddie Cash wrote:

On Thursday 15 February 2007 11:43 am, Justin Robertson wrote:

Playing with these sysctl values made 0 difference - what's supposed
to happen???

Another scary discovery - if you've got 6.2 setup to route, even with
static routes, 1Mbps of TCP SYN traffic will cause it to start dropping
packets in every direction. Awesome. Methinks I'll be using 4.11 for a
while. ;P

How are you measuring that?

We have a dual-Opteron 2 GHz box with 4 GB RAM that handles routing for 7 fibre-connected sites (1 Gbps fibre links but limited by the firewalls at the sites to 100 Mbps) and connects to the Internet via a 1 Gbps link.

All the routing on this box is handled via static routes, and we get a sustained 10 Mbps of traffic through the box. Nobody's complained about their access (which isn't surprising since we upgraded their Internet connections from a 2 Mbps shared cable connection to a dedicated 1 Gbps fibre link).

FreeBSD 6.1-p11, about 100 ipfw rules, doing NAT for 4 servers, using 2x bge(4) devices and 1x fxp(4) device.

--
Justin

_______________________________________________
freebsd-performance@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-performance
To unsubscribe, send any mail to "freebsd-performance-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
  - From: Freddie Cash

References:
- Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
  - From: Justin Robertson
- Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
  - From: Justin Robertson
- Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
  - From: Freddie Cash

Prev by Date: Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
Next by Date: Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
Previous by thread: Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
Next by thread: Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
Index(es):
- Date
- Thread

Relevant Pages

Re: (OT) rfc1948 question
... So, FreeBSD does not use RFC1948 for SYN-ACK packets, only SYN packets. ... arc4random or syncookies, ...
(FreeBSD-Security)
Re: Tons of Source port 80 to random Dest Port Traffic
... Are there any SYN packets in the capture heading in the other direction to the same hosts on the same port combination? ... This would suggest that the first packet originated from your host. ... The static source port of 80 also suggests that the traffic originated from your host, probably trying to access a web server. ...
(Security-Basics)
Re: Port 80 SYN flood-like behavior
... of our raw header logs shows some activity as early as ... large number of packets. ... > incoming packets without a problem, but the steady flow of SYN packets is ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: CodeRed Observations.
... When you notice these packets, are there *never* SYN packets? ... I'm thinking: firewall at other end blocking only SYN outbound ... > huge amount of varied attack noise, rather than something so homogenous (and ...
(Incidents)
certain versions of Windows XP leaking memory in TCP packets?
... SYN packets with no ACK flag set, and URG pointer in SYN packets with no ... URG flag set. ...
(Vuln-Dev)