Subject: Re: interrupt rate from a NIC
To: None <>
From: John Klos <>
List: tech-net
Date: 03/11/2003 17:11:10

> > > Ary you looking at some real problem or just making up theories?
> > Im looking at providing a fix for a DDoS wherein the attacker uses
> > many machines to attack a system.

> You are looking at the wrong thing. The interrupt rate is not an issue
> here.

What IS the limiting factor in high packet rate DDoS attacks? I've spent a
month under DDoS attacks which peaked at 200 Mbps. On a 350 MHz 604ev with
a Realtek card, the system could only handle 30-40 mbps, or up to around
80,000 SYN packets a second. A 933 MHz Pentium 3 system with a 3com card
could only handle somewhere between 80-90 Mbps, or around 200,000 SYN

Has anyone considered any sort of contingency plan for what a kernel can
do when it has too much work to do? An emergency mode on the main console
would be good; I had access to the serial console on the attacked
machines, but it, of course, did me no good. Just talking out loud, but
it'd be nice.

Since the possibility of DDoS attacks is always present (even after the
current attacker is arrested), I'm VERY interested in spending time
studying the metrics of how the kernel handles different kinds of traffic.

Relatedly, has anyone done any testing of ethernet cards to see which
cause the least amount of overhead?

John Klos
Sixgirls Computing Labs