[Oisf-users] Occasional burst of packet loss

Cooper F. Nelson cnelson at ucsd.edu
Mon Nov 3 19:18:59 UTC 2014

Hash: SHA1

It doesn't even have to be a DOS attack.  Any single high-volume flow
can peg a CPU as the individual packets within the flow are tied to a
single core.

So, for example, our ISP has a /24 dedicated to CDN servers (like Akamai
and Netflix) and I've seen many cases where a single IP conversation to
this block causes a DOS condition.  Since we are a gigabit network, its
not uncommon for a big download (like an Apple update) to average
500Mbit/second.  If the packets all have the same src/dst ports/IPs,
then they are all going to be handled by the same thread.

Re: packet loss on the internal interface.  Are you monitoring internal
flows?  Do you have jumbo frames enabled?  Local <-> Local IP flows are
also an issue as of course they can be extremely high volume.
Especially for well-tuned protocols like NFS.

- -Coop

On 11/3/2014 10:09 AM, Yasha Zislin wrote:
> Coop,
> That makes sense. So you are saying that if there is a DOS attack to one
> host, only one thread would be utilized for inspection? It wouldnt just
> spread out across all detection threads?
> Also, I did look at other threads and some have less
> capture.kernel_packets and some have MORE. These with higher values have
> no packet loss.
> Here is another twist to the story.
> So these two SPAN ports that I monitor are before and after border
> firewall. Packet loss occurs only on internal interface. I would think
> that the firewall has high chance of stopping DOS attack.
> Thanks for the info.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list