[21933] in bugtraq
Re: UDP packet handling weird behaviour of various operating systems
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Fri Jul 27 12:38:20 2001
Date: Fri, 27 Jul 2001 18:30:20 +0800
From: Adrian Chadd <adrian@creative.net.au>
To: Stefan Laudat <stefan@mail.allianztiriac.ro>
Cc: Paul Sack <paulsack@mail.utexas.edu>, bugtraq@securityfocus.com
Message-ID: <20010727183020.R79763@ewok.creative.net.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010726015959.C31276@allianztiriac.ro>; from stefan@mail.allianztiriac.ro on Thu, Jul 26, 2001 at 01:59:59AM +0300
On Thu, Jul 26, 2001, Stefan Laudat wrote:
> > Most UDP packets should be firewalled from the Internet.
>
> Agree.
>
> > This is only really useful if someone has access to the local network. Is
> > Linux/UP actually *locking* or just temporarily unresponsive? Also, it is
> > invalid to compare Windows ME running on $3000 hardware with Linux/*BSD
> > running on an old Pentium. Are you running all of this on the same
> > hardware? Obviously faster hardware is going to be affected less by a UDP
> > flood. How about the network cards?
>
> Identical network cards for Win2k, Linux SMP and OpemBSD processor (Intel
> Pro 100). Linux was run on dual p3/1Ghz(SMP), Pentium2/400Mhz and P3/800Mhz
> (UP). Windows 2000 was run on p3/1Ghz UP. I've made tests with same results
> against Linux UP boxes running on Celeron/600 with 3com Vortex and realtek
> 8139 NICs. I've outlined that the result is the same no matter if you hit
> via 1Gbit or 100Mbit.
Guys, guys.
The realtek cards suck. If you don't believe me, try reading the device
driver code for them in FreeBSD. Bill Paul slightly rips into their
lame design. I use a couple at home in my doze machines because they
were lying about. Getting 100mbit is painful - I don't use the
top-line hardware in the doze machines.
> > I bet a Sun E10K with lots of NICs could flood the Sun UE3500 with lots of
> > NICs, but that probably doesn't mean that the Solaris 8 network stack is
> > better than the Solaris 8 network stack; it's because the E10K is faster.
>
> well then someone will clear all this stuff for me.
>
When you're seeing the PC lockup, run vmstat 1 on it.
See how many interrupts/context switches are happening a second.
I bet the INT levels are stupidly high.
Case in point: When trying out squid on a pair of IDE disks hooked up
to a linux-2.2 box, I noted that it was crawling. after running
vmstat for a while, it was obvious that the box was handling an absolutely
*stupid* amount of interrupts per second. Turning on DMA fixed that.
Now, Gige. Id on't remember the details of the original post, but
if you've got a gige card in a Win server, I'm betting that the
basic TCP/UDP processing is occuring on the card, not on the box.
Depending how much work went into the driver (read: I bet its more
than the state of the gige drivers under free unices) they might
even be generating the connection refused replies *on the card*.
Adrian
--
Adrian Chadd Yeah, for me its (XML) like the movie Titanic.
<adrian@creative.net.au> Everybody loves it.
I want to be different, so I hate it.
--Duane Wessels
