[Oisf-users] Occasional burst of packet loss
Cooper F. Nelson
cnelson at ucsd.edu
Mon Nov 3 20:25:31 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/3/2014 11:35 AM, Yasha Zislin wrote:
> When you say " If the packets all have the same src/dst ports/IPs,
>> then they are all going to be handled by the same thread", do you mean
> that all of these four (src IP, dst IP, src Port and dst Port) have to
> be the same for one thread to be utilized? what if one of these four is
> different, is it still the same thread? for example, ping sweep or port
> scan.
Yes, a hash (called the "flow key) is computed based on the four-tuple
of the src IP/port and dst IP/port. See:
> https://www.kernel.org/doc/Documentation/networking/scaling.txt
>
> I did packet profiling with Suricata and it is about 99% HTTP(s).
>
> I guess, I am trying to figure out if there is a way to reduce packet
> loss and improve performance while being attacked by either DDOS or
> something else.
You can use bpf filters to sample traffic. Peter Manev wrote a blog
post about this:
> http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html
Keep in mind that if you are sampling flows you may miss some attack
vectors.
- -Coop
> Thanks.
>
>> Date: Mon, 3 Nov 2014 11:18:59 -0800
>> From: cnelson at ucsd.edu
>> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Occasional burst of packet loss
>>
> It doesn't even have to be a DOS attack. Any single high-volume flow
> can peg a CPU as the individual packets within the flow are tied to a
> single core.
>
> So, for example, our ISP has a /24 dedicated to CDN servers (like Akamai
> and Netflix) and I've seen many cases where a single IP conversation to
> this block causes a DOS condition. Since we are a gigabit network, its
> not uncommon for a big download (like an Apple update) to average
> 500Mbit/second. If the packets all have the same src/dst ports/IPs,
> then they are all going to be handled by the same thread.
>
> Re: packet loss on the internal interface. Are you monitoring internal
> flows? Do you have jumbo frames enabled? Local <-> Local IP flows are
> also an issue as of course they can be extremely high volume.
> Especially for well-tuned protocols like NFS.
>
> -Coop
>
> On 11/3/2014 10:09 AM, Yasha Zislin wrote:
>> Coop,
>
>> That makes sense. So you are saying that if there is a DOS attack to one
>> host, only one thread would be utilized for inspection? It wouldnt just
>> spread out across all detection threads?
>
>> Also, I did look at other threads and some have less
>> capture.kernel_packets and some have MORE. These with higher values have
>> no packet loss.
>
>> Here is another twist to the story.
>> So these two SPAN ports that I monitor are before and after border
>> firewall. Packet loss occurs only on internal interface. I would think
>> that the firewall has high chance of stopping DOS attack.
>
>> Thanks for the info.
>
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJUV+S7AAoJEKIFRYQsa8FWPiwH/iSrKDFyp2tx59qWIQo7xLIf
199uvbABm73OpBomx98SN67hFvBFZPA04sB686tipGo7tDH6AeeDcWmbhPuAlOJ3
U7nvrEDzlRAjqYZWDo5Hxg2DG1FfO+uQ0JXC2lVqAn8OO/Jlr3W3Tv+V76E2dBYV
UVSEVNIvD6abf7hwwDjIm3BzA3VqtrN6Zmf+oU6Oej4Qrqi8VMKG5KZbb0w8MDWE
41HOnd11+OFfXbAimutKZtKnC0QtP3B3t7YUxBoldSeAAkxvyFeDpsyKv0nBTd5V
2yO9MvrWRr59uRYl75KJOeuFmVotmp0hB9SDD2MuSWTqTB9yAXcMc5XFcQ1y6EI=
=fBlN
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list