1 Reply Latest reply on Mar 22, 2013 1:22 PM by Freddy Gonzalez

    Intel's Hyper-Threading vs. Linux Iptables/Netfilter Firewall ?


      Hello, and first of all very sorry about possible English mistakes/errors. It is not my native language but I'll try to do my best.


      I am trying to find out if I should leave Intel's HT enabled or not on a dedicated Linux firewall box. The box consists of a brand new Dell PowerEdge R620, which hosts a single (understand : not bi-CPU) E5-2643.


      The box's ONLY purpose will be firewalling and routing. It is located in front of the end user's servers. It runs on Debian Linux, and the software layer consists of the good old iptables framework. And that's it. This box will not do things like web server, database server, etc. Just a simple software firewall/router.


      The expected traffic levels are between 50 and 100 Mbps. This translates to something like 10-15k packets par second. So that's not a really high value tbh !


      But, before delivering it to my customer and putting it live, I want to use this machine as a "benchmark" in order to have an idea of how much pps (packets par second) my server is able to handle before getting in trouble.


      We've been recently hit by DDoS attacks (mostly SYN floods), which basically consisted in sending a very large number of pps to the firewall. The attacks "power levels" ranged between 100k pps and 1m (one million) pps. The latter is a kind of very high value !


      So far it is our understanding that the CPU is an important factor when dealing with DDoS attacks and high pps. An important factor among many others of course, such as network infrastructure, network hardware, network drivers configuration, server configuration, Linux kernel configuration, interrupts handling configuration, iptables configuration, connection tracking or not, etc. But let's focus on the CPU for the moment.


      Depending on the capability/grade of the CPU the firewall uses, we see the Linux kernel spending different amounts of time in "si" (software interrupt) state. When the attack is powerful and the firewall's CPU is not great hardware (single E5607 for instance), the Linux kernel has all its CPUs stuck at like 80-90% "si", which means it is just "processing" the packets. This is where the trouble begins, as it is just not fast enough. The Linux kernel starts dropping packets.


      We factually determined that upgrading the CPU, and/or adding another CPU (to make the box bi-CPU) improves the overall dealing with the attacks.


      I've been doing some research and couldn't find anything relevant regarding my question. All I got so far was people saying things like :


      - " you should enable Intel's HT on a web server "

      - " you should not enable Intel's HT on a database server "

      - " Intel's HT is just pure marketing, and can sometimes lower the overall performance instead of improving it "

      - " Intel's HT was not that good with Westmere architecture, but it has been much improved with the brand new Sandy Bridge architecture "


      Okay, so where's the truth ? And how about a simple firewall ? Will adding logical CPUs to my Linux box increase my maximum pps rate ?


      Do you guys have white papers or things like that ?


      I also read this (http://i.dell.com/sites/content/shared-content/data-sheets/en/Documents/configuring-low-latency-environments-on-dell-poweredge-12g-servers.pdf) from Dell. They simply say the recommended setting for "logical processor" (Intel's HT) is "disabled", but don't tell anything more... Why do they say that ?


      In the end I will probably do some extensive testing, for instance sending very numerous packets to the box and comparing the results with HT on then off... But before doing that I'd like to know if you guys could give some (even minimal) input about that.


      Many thanks in advance.