[Oisf-users] Occasional burst of packet loss

Cooper F. Nelson cnelson at ucsd.edu
Mon Nov 3 20:25:31 UTC 2014

Hash: SHA1

On 11/3/2014 11:35 AM, Yasha Zislin wrote:
> When you say " If the packets all have the same src/dst ports/IPs,
>> then they are all going to be handled by the same thread", do you mean
> that all of these four (src IP, dst IP, src Port and dst Port) have to
> be the same for one thread to be utilized? what if one of these four is
> different, is it still the same thread? for example, ping sweep or port
> scan.

Yes, a hash (called the "flow key) is computed based on the four-tuple
of the src IP/port and dst IP/port.  See:

> https://www.kernel.org/doc/Documentation/networking/scaling.txt

> I did packet profiling with Suricata and it is about 99% HTTP(s).
> I guess, I am trying to figure out if there is a way to reduce packet
> loss and improve performance while being attacked by either DDOS or
> something else.

You can use bpf filters to sample traffic.  Peter Manev wrote a blog
post about this:

> http://www.pevma.blogspot.se/2014/06/suricata-idps-getting-best-out-of.html

Keep in mind that if you are sampling flows you may miss some attack

- -Coop

> Thanks.
>> Date: Mon, 3 Nov 2014 11:18:59 -0800
>> From: cnelson at ucsd.edu
>> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Occasional burst of packet loss
> It doesn't even have to be a DOS attack. Any single high-volume flow
> can peg a CPU as the individual packets within the flow are tied to a
> single core.
> So, for example, our ISP has a /24 dedicated to CDN servers (like Akamai
> and Netflix) and I've seen many cases where a single IP conversation to
> this block causes a DOS condition. Since we are a gigabit network, its
> not uncommon for a big download (like an Apple update) to average
> 500Mbit/second. If the packets all have the same src/dst ports/IPs,
> then they are all going to be handled by the same thread.
> Re: packet loss on the internal interface. Are you monitoring internal
> flows? Do you have jumbo frames enabled? Local <-> Local IP flows are
> also an issue as of course they can be extremely high volume.
> Especially for well-tuned protocols like NFS.
> -Coop
> On 11/3/2014 10:09 AM, Yasha Zislin wrote:
>> Coop,
>> That makes sense. So you are saying that if there is a DOS attack to one
>> host, only one thread would be utilized for inspection? It wouldnt just
>> spread out across all detection threads?
>> Also, I did look at other threads and some have less
>> capture.kernel_packets and some have MORE. These with higher values have
>> no packet loss.
>> Here is another twist to the story.
>> So these two SPAN ports that I monitor are before and after border
>> firewall. Packet loss occurs only on internal interface. I would think
>> that the firewall has high chance of stopping DOS attack.
>> Thanks for the info.

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list