[Oisf-users] Suricata 2.0 dev, 100% cpu utilization in AF_PACKET + workers mode?

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 10 21:00:36 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've verified that irqbalance has been restarted and udp is being
properly load balanced:

>  sbin # ethtool -n eth2 rx-flow-hash udp4
> UDP over IPV4 flows use these fields for computing Hash flow key:
> IP SA
> IP DA
> L4 bytes 0 & 1 [TCP/UDP src port]
> L4 bytes 2 & 3 [TCP/UDP dst port]

As a test I disabled udp port 53 traffic via a bpf expression.  This
appears to have resolved the issue and I've processed more than 100
million packets per CPU without experiencing any locked threads.  I have
observed cores with an idle time of 0% for a short period, but always
recovering.

So, this definitely appears to be a problem with the new DNS parser.

Something interesting about our environment is we have on occasion lots
of non-DNS traffic over port 53.  As an example, I often see bitorrent
connections to off-campus hosts over port 53 (I assume to get around
firewalls on the other end).

How does the parser handle non-DNS traffic on port 53?  Is it possible
if it gets too much non-dns traffic in too short a time frame on a
single thread (like in the bitorrent case) that there might be issues?

Additionally, is there a way to disable the various app-layer protocol
handlers, either via suricata.yaml or at compile time?  I would still
like to run the ET DNS sigs on our DNS traffic.

- -Coop

On 7/9/2013 11:46 PM, Peter Manev wrote:
>>
>> Question along those lines, what do the suricata devs feel about the
>> various NIC offloading features re: interaction with suricata?
> 
> These, I think should be OFF in general. Suricata must be able to see
> the traffic as it is.
> 
> Again , if I may, irqbalance and udp balancing are very important.
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR3ct0AAoJEKIFRYQsa8FWcKcH+QHXQOW/DPEvAO5WvqODzo2K
5fVHcxacAeSYXxvZ/Dxg6h0lmRXJg9T1HwiPfvlq6gBgNQkHLP6SqdoMv9XM6XGC
J3S/5kLdriDIQz9ut8tX3ejxzcRhoxeGxKX+/v59nvBN5KY6Au1UdZMpazGelrBM
LtFtNahUE4SQqI306e+oUTLYffLcxOB362LkkHskgUKs0iOSf70hyHKTXbkZPSoF
a6k/h4tzb+ntlaLS6doneK2L8KrywTlY3roLLCslsW9uSWL8KQRXNJQCRQD4N8uO
LqCuZQAbsSCSFhnhBEoqfc5w8KdrtohUQRiNwRDRk5gzygbkYMJEoLRKXHSIu8I=
=TQRY
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list