[Linux-PowerEdge] Intel's Hyper-Threading vs. Linux Iptables/Netfilter Firewall ?

Leen Besselink delllist at consolejunkie.net
Tue Mar 19 19:01:09 CDT 2013

On Tue, Mar 19, 2013 at 09:55:26PM +0100, Monsieur Hugo wrote:
> Hello, and first of all very sorry about possible English mistakes/errors.
> It is not my native language but I'll try to do my best.
> I am trying to find out if I should leave Intel's HT enabled or not on a
> dedicated Linux firewall box. The box consists of a brand new Dell
> PowerEdge R620, which hosts a single (understand : not bi-CPU) E5-2643.
> The box's ONLY purpose will be firewalling and routing. It is located in
> front of the end user's servers. It runs on Debian Linux, and the software
> layer consists of the good old iptables framework. And that's it. This box
> will not do things like web server, database server, etc. Just a simple
> software firewall/router.
> The expected traffic levels are between 50 and 100 Mbps. This translates to
> something like 10-15k packets par second. So that's not a really high value
> tbh !
> But, before delivering it to my customer and putting it live, I want to use
> this machine as a "benchmark" in order to have an idea of how much pps
> (packets par second) my server is able to handle before getting in trouble.
> We've been recently hit by DDoS attacks (mostly SYN floods), which
> basically consisted in sending a very large number of pps to the firewall.
> The attacks "power levels" ranged between 100k pps and 1m (one million)
> pps. The latter is a kind of very high value !
> So far it is our understanding that the CPU is an important factor when
> dealing with DDoS attacks and high pps. An important factor among many
> others of course, such as network infrastructure, network hardware, network
> drivers configuration, server configuration, Linux kernel configuration,
> interrupts handling configuration, iptables configuration, connection
> tracking or not, etc. But let's focus on the CPU for the moment.
> Depending on the capability/grade of the CPU the firewall uses, we see the
> Linux kernel spending different amounts of time in "si" (software
> interrupt) state. When the attack is powerful and the firewall's CPU is not
> great hardware (single E5607 for instance), the Linux kernel has all its
> CPUs stuck at like 80-90% "si", which means it is just "processing" the
> packets. This is where the trouble begins, as it is just not fast enough.
> The Linux kernel starts dropping packets.
> We factually determined that upgrading the CPU, and/or adding another CPU
> (to make the box bi-CPU) improves the overall dealing with the attacks.
> I've been doing some research and couldn't find anything relevant regarding
> my question. All I got so far was people saying things like :
> - " you should enable Intel's HT on a web server "
> - " you should not enable Intel's HT on a database server "
> - " Intel's HT is just pure marketing, and can sometimes lower the overall
> performance instead of improving it "
> - " Intel's HT was not that good with Westmere architecture, but it has
> been much improved with the brand new Sandy Bridge architecture "
> Okay, so where's the truth ? And how about a simple firewall ? Will adding
> logical CPUs to my Linux box increase my maximum pps rate ?
> Do you guys have white papers or things like that ?
> I also read this (
> http://i.dell.com/sites/content/shared-content/data-sheets/en/Documents/configuring-low-latency-environments-on-dell-poweredge-12g-servers.pdf)
> from Dell. They simply say the recommended setting for "logical processor"
> (Intel's HT) is "disabled", but don't tell anything more... Why do they say
> that ?
> In the end I will probably do some extensive testing, for instance sending
> very numerous packets to the box and comparing the results with HT on then
> off... But before doing that I'd like to know if you guys could give some
> (even minimal) input about that.
> Many thanks in advance.

I have never looked into HT, but there are a number of general things/tips I can give you to look at.

Here are some ideas:

- first thing you should probably look at is CPU-affinity. You can configure Linux to assign a NIC or even a queue to a certain CPU. By default all NIC-traffic will go to one CPU. This document might give you some ideas:


- have a good look at the NICs you use and the drivers that go with it. And possibly upgrade the kernel to a newer version to get better performance. I guess the default onboard NIC is the Broadcom Xtreme II ?

If I understand correctly you probably want Intel NICs, they have multiple queues which means interrupts and packets can be devided over different cores.

- if you really are dealing with Distributed-DOS- and not just 'normal' DOS-attacks, you might want to look at this:

- you probably want to install ethtool and check the -k and -c option.

> Rgds,

> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge

More information about the Linux-PowerEdge mailing list