[Oisf-users] Occasional burst of packet loss

Cooper F. Nelson cnelson at ucsd.edu
Mon Nov 3 19:18:59 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It doesn't even have to be a DOS attack.  Any single high-volume flow
can peg a CPU as the individual packets within the flow are tied to a
single core.

So, for example, our ISP has a /24 dedicated to CDN servers (like Akamai
and Netflix) and I've seen many cases where a single IP conversation to
this block causes a DOS condition.  Since we are a gigabit network, its
not uncommon for a big download (like an Apple update) to average
500Mbit/second.  If the packets all have the same src/dst ports/IPs,
then they are all going to be handled by the same thread.

Re: packet loss on the internal interface.  Are you monitoring internal
flows?  Do you have jumbo frames enabled?  Local <-> Local IP flows are
also an issue as of course they can be extremely high volume.
Especially for well-tuned protocols like NFS.

- -Coop

On 11/3/2014 10:09 AM, Yasha Zislin wrote:
> Coop,
> 
> That makes sense. So you are saying that if there is a DOS attack to one
> host, only one thread would be utilized for inspection? It wouldnt just
> spread out across all detection threads?
> 
> Also, I did look at other threads and some have less
> capture.kernel_packets and some have MORE. These with higher values have
> no packet loss.
> 
> Here is another twist to the story.
> So these two SPAN ports that I monitor are before and after border
> firewall. Packet loss occurs only on internal interface. I would think
> that the firewall has high chance of stopping DOS attack.
> 
> Thanks for the info.
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUV9UjAAoJEKIFRYQsa8FWiL8H/0jSuWDDKDdwR+2mtBNC82kt
fdB1Q4iWRLjMwS2rjNw99e65ekAr3aowUI4IBU06pZbfW+jnfz7Q/0W7tcim/9BQ
RAbQqbGI93fc5J/k2MAeYveQRh3O8v9xY7IWlHIGclH+w3JWo7O/vi0i2FzKYKW5
dp27tKHNM7kSt/n4vfk+C17p8LVK//aYWEVkNekZHJDdbEwEAdEfFp0VPus2CGFH
Q5n04oqPyzhb17B2Ct4YDP6hCsm4K2/tSW+szxZv3AMZZ9n6fYzXZjftvprovIYZ
dOCbVbhc6Tl+nvgOIoWam9vOUinZcm/vR3wlLzI41Xmiul9GL+k/LeMcAU0LuDY=
=QzIF
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list