MikroTik

Hello,

I ve a box running mt 2.9.38
Specs, P4 3.2Ghz 512Mb Ram.

We ve 40mbit traffing routing and ve 30-40 simple queues.

When we start to receive high load syn packets (20K/s packet), mikrotik cpu usage becomes %100 and we start having routing problems.

Is there any way to solve this?

I am not looking for a solution to drop these ddos attacks, I only want mt to route everything even syn attacks to server while mikrotik not using %100 cpu.

thanks

edit : After I drop the packets to the destination IPs from mt fw, mt Cpu usage drops to normal ~%40, and packets starts to route again.

are you using NAT and/or connection-tracking?

are you logging lots of packets? If you log under these conditions it will tax the CPU big time.

I am not using NAT but i am using conn trac for some firewall rules.

No logging is active.

i would think if those packets are being routed (not natted) it should handle it ...

as a side note have you turned off hyperthreading in the BIOS ? better performance to use the entire CPU instead of half.

Yes i disabled HT before install mt.

There is no NAT rules. Only ip routing.

Today again we get an attack and mikrotik stop responding. I had disable conn. trac. before. So this is not related.

Is there any1 getting mikrotik work under ddos like 20-30mbit / 50K p/s?

Setting a Xeon cpu will make a difference?

We are using a std pci eth interface rtl8139. Using a 3com server eth interface will make a differece?

ah ... realtek. I think that explains it. I think the only cards that will hit that high of a packet rate reliably are the intel NICs. . . they have way better performance. PCI-X or PCI-e if you can with the mobo you have.

Your p4 3.2 should be enough. If your still having problems it might be because of the queueing which adds lots of CPU usage under heavy load.

Sam

How fool I am, I never thought that nic can cause it. I was brooding how to buy cisco 7200/12000. I hope this can help to handle that much packets under heavy load.

Also, I ve 4-port Ethernet (100mb/s, via rhine chipset) adapter which I bought from mt. And o/b SysKonnect SK98xx/SK95xx GBit interface.

Do you think this nics will be fine? If I use port 1/4 for input and 2/4 for output, how will be the performance? Will it use pci interface double for in and out (i guess so).

What I understand here, I should get an interface for input and use 4-port Ethernet adapter for output. Can u suggest a model please for intel chipset. What about marvell chipset or rtl8169s-32

2. question is, If i use in and out interfaces as bridge, and not assign an ip address to interfaces, how will this effect to performance?

Intel server nics are always the top performers in my opinion. Intel desktop nics are close but not as good as their server nics. NAPI and adaptive interrupt options (if MT even configures these?) help tremendously under an attack. Think if every packet that comes in has to cause an interrupt to the CPU - how efficient is that ?

dual and quad intel nics are a good option to maximize your slot density.

FireCD is a good testing tool to understand what your hardware can perform to - throw a gigabit syn flood at it and see what you get.

Is this nics suitable?

http://www.intel.com/network/connectivi ... dapter.htm 110$

http://www.intel.com/network/connectivi ... dapter.htm 384$

Prices are in Turkey.

Yesterday night, I disconnect rtl8139 and started to use 4-port Ethernet which I bought from mikrotik. Cpu usage drop from %50 to %25. I hope to test under ddos attack and see how it handles.

Dear Sam

Could you write some more details about this tool FireCD ?
I tried to use google but with pure results.

Regards
Marcin

http://fire.dmzs.com/ ( i have a modified version from the ddos vendor but this one should suffice ... i think )

Thx a lot !

Regards
Marcin

I had changed the interface to Intel Pro1000. Now even while we get an attack, cpu is less then %50. But still router can't access the Internet.

While we are getting 30mbit / 50K syn packets, I can access the MT, I can access servers connected to MT, but MT can't access its default gateway (TTNET). Our link to TTNET is 100Mbit.

Network Diagram :
TTNET -Fibre- Summit48s -Copper- MT -Copper- Cisco 3560 Switch

TTNET is Turkish Telecom
Fibre is connected to Port49 on Summit48s, and it is bridge with Port2 to MT (I guess Layer2). There is no IP on Summit48s, TTNET can access Summit48s somehow.

I called TTNET to look out Summit48s they see the same traffic as I see on MT. They said there is no problem on Summit48s so I guess the Problem is on MT. I asked TTNET to block dest ip from their black diamond and after syn floods stop and MT can access to internet.

Any idea what to do? Why MT cant access to Internet.

Connection Tracking is disabled.

You can find the SS of MT before and after syn flood.
eth6 is Intel PRO1000 Server interface connected to Summit48S
eth1-4 is 4 Port PCI interface where I bought from MT guys. eth1 connected to local Cisco switch. eth2 is where I and Office computers connected.
eth5 is on board gb interface where there is a small amount of servers connected.

While getting syn flood

After TTNET block dest IP

Any one has any idea???

hi u used web proxy-test cach thanx

Any one has any idea???

I think your FW rules are killing the CPU time when get flooded . have you tried to switch them of when get flooded ?

Jan

I turned off everything, no change

I guess this is about PCI bus.

We have the same issue have connection tracking off 2.9ghz P4 HT(OFF) 1GB ram and DUAL NICS on PCI-X still at 50 to 10kpps our cpu is 100% .No firewall rules nothing just BGP and plain policy routing using routing tables- MT 2.9.44 . Our BGP goes off and everything goes down or drags to a halt. I had changed from PCI to PCI-X about 2 years ago for PCI bus not being able to handle this but now even with PCI-X we have issues. Any advise shoudl we buy a DDOS mitigation device -- is there something else available in MT?

I started to use MT3 Beta7 on HP DL140 G3 with Dual Intel PCI-e nics.
As far as I Know PCI and PCI-X are like half-dublex and PCIe nics are full-duplex with more speed.

We get a syn flood attack 200k packets/sec and MT didnt crash.

I suggest you to move Mt3 Beta with DC / QC Xeon Cpu and PCIe Nics.

I started to use MT3 Beta7 on HP DL140 G3 with Dual Intel PCI-e nics.
As far as I Know PCI and PCI-X are like half-dublex and PCIe nics are full-duplex with more speed.

We get a syn flood attack 200k packets/sec and MT didnt crash.

I suggest you to move Mt3 Beta with DC / QC Xeon Cpu and PCIe Nics.

Few questions :
at 200kpps whats your cpu utilization % ? I am asking because we ave 2 links and both combined we were touching 150kpps at peak but with 100% cpu . Bandwidth was NOT an issue . Supermicro P4SCT+ with 1 GIGE nic on CSA and the other DUAL port NIC on PCI-X , I was hoping it would do more.

Do you use bgp?
You have the brodcom or NCIE on the dl140 and does MT detect and work well with these ?

Cpu usage was %60, no packet loss, I am not using DL140 G3 OB nics, but they are Also PCIe. You can try to use them.
But after 400Kpps there were packet loss with my Intel PCIe Nics.

Fibre Metro-Eth --> C3560G --> MT --> C3560 --> Servers
BGP is set on Cisco 3560G. There aren't any problem on C3560G when we get heavy syn flood.

Also I bought Netscaler App. Accelerator behind MT. NS blocks Syn Flood, so MT works great.

My new network map
Fibre Metro-Eth --> C3560G --> NS --> MT --> C3560 --> Servers

I use MT for basic firewall and Traffic Shaping for my Co-location customers.

Current Stats:
30K/35K pps; 100Mbit/30Mbit IN/OUT
%40 Cpu Usage

ah ... realtek. I think that explains it. I think the only cards that will hit that high of a packet rate reliably are the intel NICs. . . they have way better performance. PCI-X or PCI-e if you can with the mobo you have.

Your p4 3.2 should be enough. If your still having problems it might be because of the queueing which adds lots of CPU usage under heavy load.

Sam

how about rb44 gigabyte NIC ? i also has problem with big cpu process. when handle about 50mbps cpu process will increase about 80%
i used PC PIV 2.4 and memory 1 GB, also i used bgp routing recieved about 3000 table route

It is hard to read the images.

What Speed of connection do you have with Summit?
From what it appears the ether 6 to summit is receiving at 29.x Mbps
if your connection is 30M then your internet connection is flooded.

When no flood is happening the ether 6 to summit is receiving at 4.9 Mbps.

Why would you not want to drop the packets during this attack?