2

My machine is being flooded with thousands of packets per second. They don't eat much bandwidth (60mbps out of 1gbit) but they damage system a lot by consuming a CPU responsible for handling network card interrupts. ksoftirqd goes to 100% and machine becomes almost unaccesible. How can I deal with these kind of attack - throwing huge number of random packets? Is there any way to somehow tweak handling server interrupts or distribute it over other CPUs?

My network card uses NAPI, linux kernel is 2.6.31.5

rfire
  • 41
  • 1
  • 4

1 Answers1

7

You need to contact your upstream provider and have them block, filter or otherwise prevent the packets from this DDOS from reaching you. There's really not much you can do by the time they arrive on your server.

You can try to block the source IP addresses using iptables, but likely the (computational) damage is already done by the time iptables actually looks at the packets and decides to drop it.

EDIT:

Your comment doesn't make sense to me. You have DDOS caused by lots of or specially crafted packets (or both) causing too much computational overhead due to interrupt switching. Are they coming from one or a few sources? Have your upstream provider drop packets from that source/s? Profit! If they never get to your machine - they'll never cause the problem in the first place. There's no magic you can do on the host to prevent this from happening once the packets already arrive. You need to have dropped the packets before they arrive on your machine. Contact your service provider or hosting company.

  • The attack is one level "deeper" what i mean is i could block the whole machine to only one IP Address but it would be still inaccessible since packets comes in and generates interrupts which still consumes CPU. – rfire Dec 11 '11 at 23:55
  • Please see my edit. –  Dec 11 '11 at 23:58
  • No, unfortunately they comes from variety spoofed sources so it's impossible to block them by source IP. The packets are totally random, they only have one common thing - destination port. – rfire Dec 12 '11 at 00:03
  • Sorry, i misunderstood your post, of course i've been talking about blocking machine to only one IP Address but on the server-level. – rfire Dec 12 '11 at 00:12
  • I still have no idea what you're asking... what does "server-level" mean? Who controls your connection to the internet? Call them and ask them to drop traffic to your server's IP address and the specific destination port (provided that that port isn't used for other services you need). –  Dec 12 '11 at 01:30
  • The question was - is there any way to improve handling interrupts because right now, they are killing a machine. I'm not asking how to deal with a ddos ;) For example, I've heard about interrupts coalescence, something about facebook irq balancing - however couldn't find their kernel patch, heard about netword card infrastructure where they use 4 quees for RX/TX so maybe somehow you can setup different cpu cores to handle interrupts from different quees. On server level - I meant something, which i realized you posted before: "but likely the (computational) damage is already done"... – rfire Dec 12 '11 at 05:24
  • ...packet arrives, cpu is already consumed and it doesn't really matter for dedicated server if a packets is blocked on firewall or not (this is what I meant by saying that I could lock up a machine to only one IP address (using iptables on "server level") but it would't deal with a problem. Since packets are totally random (they are not crafted like you said) on destination port 80 - my ISP can't block them. They are all with wrong checksum but when I asked if it's possible to drop packets with wrong checksum before hitting my dedicated server they said that 'sorry no can do'. – rfire Dec 12 '11 at 05:24
  • Sorry to say this, but I think you're SOL. Find a new hosting company. My only suggestion at this point would be to put a device in-line between your service provider and your server and do their job for them. –  Dec 12 '11 at 06:15