Hello,
I found why my PIII 500 client couldn't send more than 2000 SYN/s :)
It was because that client is also providing Internet connection to my
LVS box (gateway) and used NAT for that. Some modules slowed the
output rate down (one of the connection tracking module). I removed
them and finally reached 60K SYN/s. With a mean of about 54K.
That time the load on the LVS-NAT box was a lot higher (always 100%
system usage, and a swap between the ttys takes about 3-5 seconds).
That poor box couldn't handle the load and wasn't able to send back
packets (maybe only 10 per seconds). This means that the DoS was
successfull but it's only working during the flood, it won't brake any
services (thanks to Syn_Cookies).
I think the only way to prevent the DoS in this case is to upgrade the
LVS box hardware :)
I looked with the vmstat 1 and 10, as Julian recommanded.
Shouldn't the values of the number of interruptions with "vmstat 10" be
10 times more than "vmstat 1"'s?
I got with vmstat 1: interrupts = ca. 400'000, cpu sys = 100
and with vmstat 10: interrupts = ca. 60'000, cpu sys = 100
Regards,
Fabrice Bucher
|