It may be a little bit off the topic, but I'm curious about the behavor of
linux kernel on DDoS.
The result of my test is as follows:
1. When there are too much incomming packets, network drivers begin to cry.
(saying, for example, "card reports no resource..")
2. The more the packets come, the less the kernel can process.
(ex, when packets come at the rate of 130000 pkt/s, kernel processes 50000
pkt/s,
while when packets come at the rate of 90000 pkt/s, kernel processes 80000
pkt/s)
3. After the kernel is stressed by the packets for 10s of seconds, kernel
begins to drop all the packets.
4. After 10s of seconds, kernel restarts processing packets.
Reasons:(?)
1. Once I thought It was the fuction of ipvs code. But It's not.
Because I didn't configure any ipvs settings in the test, and the sysctl
variables for DoS was disabled,
though the kernel was a 2.2.16 kernel patched with ipvs-0.9.15
2. I thought the network driver might make that problem.
When it's stressed too much, it might be locked for seconds... But I think
it's not probable now.
I've tested 3com, eepro100, realtek which gave the same result.
3. I think there is codes somewhere in the kernel which makes the kernel
drop normal
packets on some condition.(when it should not)
For example, the netdev_max_backlog variable in net/core/dev.c is fixed to
300.
I don't know what the value means and why it's fixed to that value.
Do you have any idea?
>
> This result is expected. Have you seen DDoS :)
>
|