Subject: Re: interrupt rate from a NIC
To: Kamal R Prasad <>
From: Michael Graff <>
List: tech-net
Date: 05/23/2003 01:56:25
"Kamal R Prasad" <> writes:

>>It is trivial to DDoS a machine and cause the famous "live-lock"
>>problem.  This is where interrupts come in so fast that you can't do
>>anything but service them, if that.
> looks like everybody else has a different opinion.

I have experienced DDoS attacks that were generating a mere 40 Mbps or
so of traffic, but my machine was knocked down hard.  It may not have
been an interrupt issue, but there were no mbufs anywhere but in the
ip input queue, and serial console was not responding after a short
while.  Unplugging the ethernet made the serial console respond.

>>Mbps connected Pentium-3 866 Mhz.  I know this from experienced.
> is there a mathematical formula to decide if for a given cpu & bandwidth, 
> whether this type of DoS is feasible?

Probably, but it will be a range, and is probably extremely dependent
on the ethernet card in use.  Some are much more efficient and do a
lot of handy work for you, while others are thick as a brick and you
have to drag each packet kicking and screaming from them.