[Oisf-users] Occasional burst of packet loss

Peter Manev petermanev at gmail.com
Tue Nov 4 23:11:29 UTC 2014


On Tue, Nov 4, 2014 at 5:38 PM, Yasha Zislin <coolyasha at hotmail.com> wrote:
> How do you increase socket buffers?
>
> I've increased a lot of buffers already. That's why my memory utilization is
> high.
> I've also maxed out NIC buffers and PF_RING ring size.

Could you describe how and which NIC buffers did you max out?

Suggestion for pf_ring in general:
In a terminal:
-> modprobe pf_ring transparent_mode=0 min_num_slots=65534 enable_tx_capture=0

to confirm:
-> cat /proc/net/pf_ring/info

In suricata.yaml
->max-pending-packets: 65534

Which Suricata version are you using?

>
> Thanks.
>
>> Date: Tue, 4 Nov 2014 08:11:36 -0800
>> From: cnelson at ucsd.edu
>> To: coolyasha at hotmail.com; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Occasional burst of packet loss
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Not sure if this works the same as with PF_RING, but I've found
>> increasing the socket buffers can help with packet drops during DOS
>> attacks when running in AF_PACKET mode. eg:
>>
>> > buffer-size: 1048576
>>
>> On 11/3/2014 11:35 AM, Yasha Zislin wrote:
>> >
>> > I guess, I am trying to figure out if there is a way to reduce packet
>> > loss and improve performance while being attacked by either DDOS or
>> > something else.
>> >
>> > Thanks.
>> >
>>
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJUWPq4AAoJEKIFRYQsa8FWVu0IAMr8JKausfNOpGwachndvXn7
>> 5GKrmgWi/LJ2jNIWc5UVpC5a/JfxfS4WR2crzWbTpaSqjiIGwskhmfsFEg9zaUfq
>> d9npoo8W6hL7EW/18f+29zajtwoCry58W1ZqLHFPBBEfOoGV0f4NQOCEi6tudf6M
>> CEFIkyhEMeXhNzg++bm22TUjhEHesa1S92tStS0zniYJrRhyGTX6B/kXEzedEk/l
>> Adx5yzgJrWAsSFgxTR6I1JjsOaBwQvUqsE7uYlEQb9JVOpwK0DGQitXQfUmQ+vWx
>> nFMkxHAkqIgOJq4WXn1SGnUEZ9hsojZIMh+C1kUc6HUPdOCUlJKVCKQYyDoX4js=
>> =9Bcm
>> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list