Dear all, First, sorry for my bad English .. To night one of my client is the victim of UDP attack from internet. It''s tons of UDP packets from internet with destination to port 80. But when I look at class of that victim client, the actual class rate is over than configured rate class. Below is my screen capture. You can see at class 1:913 which have actual rate 105136bit while configured with ceil at 96000bit. Also it''s parent class (1:91) which have actual rate 107680bit while configured with ceil at 96000bit. Is this normal? Or I have miss something in my script. Sometimes ago I found this situation but I forgot to capture the screen and the traffic is UDP too (maybe from torrent-like client) #tc -s -d class sh dev imq0 | grep -A4 1:91 class htb 1:91 parent 1:1 rate 17280bit ceil 96000bit burst 12Kb/8 mpu 0b overhead 0b cburst 12Kb/8 mpu 0b overhead 0b level 6 Sent 292925505 bytes 1158879 pkt (dropped 0, overlimits 0 requeues 0) rate 107680bit 324pps backlog 0b 0p requeues 0 lended: 25040 borrowed: 924897 giants: 0 tokens: -6121720 ctokens: -831243 -- class htb 1:911 parent 1:91 leaf 911: prio 0 quantum 1000 rate 1712bit ceil 96000bit burst 12Kb/8 mpu 0b overhead 0b cburst 12Kb/8 mpu 0b overhead 0b level 0 Sent 296118 bytes 4911 pkt (dropped 0, overlimits 0 requeues 0) rate 288bit 0pps backlog 0b 0p requeues 0 lended: 4911 borrowed: 0 giants: 0 tokens: 57158878 ctokens: 1019333 -- class htb 1:912 parent 1:91 leaf 912: prio 0 quantum 1000 rate 1712bit ceil 96000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1647b/8 mpu 0b overhead 0b level 0 Sent 4319317 bytes 16191 pkt (dropped 0, overlimits 0 requeues 0) rate 2632bit 0pps backlog 0b 0p requeues 0 lended: 13098 borrowed: 3093 giants: 0 tokens: -6153580 ctokens: 124667 -- class htb 1:913 parent 1:91 leaf 913: prio 0 quantum 1000 rate 13816bit ceil 96000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1647b/8 mpu 0b overhead 0b level 0 Sent 280566732 bytes 1137807 pkt (dropped 2924342, overlimits 0 requeues 0) rate 105136bit 312pps backlog 0b 30p requeues 0 lended: 190933 borrowed: 946844 giants: 0 tokens: -427412 ctokens: -138856 Regards, Daniel
Daniel Harold L. wrote:> Dear all, > > First, sorry for my bad English .. > > To night one of my client is the victim of UDP attack from internet. It''s tons > of UDP packets from internet with destination to port 80. But when I look at > class of that victim client, the actual class rate is over than configured > rate class. > > Below is my screen capture. You can see at class 1:913 which have actual rate > 105136bit while configured with ceil at 96000bit. Also it''s parent class > (1:91) which have actual rate 107680bit while configured with ceil at > 96000bit.Might be an integer overflow in the current iproute version. Which version are you using?
On Tuesday 03 July 2007 22:50, you wrote:> Daniel Harold L. wrote: > > Dear all, > > > > First, sorry for my bad English .. > > > > To night one of my client is the victim of UDP attack from internet. It''s > > tons of UDP packets from internet with destination to port 80. But when I > > look at class of that victim client, the actual class rate is over than > > configured rate class. > > > > Below is my screen capture. You can see at class 1:913 which have actual > > rate 105136bit while configured with ceil at 96000bit. Also it''s parent > > class (1:91) which have actual rate 107680bit while configured with ceil > > at 96000bit. > > Might be an integer overflow in the current iproute version. Which > version are you using?iproute2-2.6.16-060323 + esfq patch + wrr patch + srr patch Actually I''m using power pack package from Pawel Pawilcz http://snaj.ath.cx/26x/index.html for 2.6.17 kernel Regards Daniel
Daniel Harold L. wrote:> On Tuesday 03 July 2007 22:50, you wrote: > >>Might be an integer overflow in the current iproute version. Which >>version are you using? > > > iproute2-2.6.16-060323 + esfq patch + wrr patch + srr patchThat version should be fine.
Daniel Harold L. wrote:> Dear all, > > First, sorry for my bad English .. > > To night one of my client is the victim of UDP attack from internet. It''s tons > of UDP packets from internet with destination to port 80. But when I look at > class of that victim client, the actual class rate is over than configured > rate class. > > Below is my screen capture. You can see at class 1:913 which have actual rate > 105136bit while configured with ceil at 96000bit. Also it''s parent class > (1:91) which have actual rate 107680bit while configured with ceil at > 96000bit. > > Is this normal? Or I have miss something in my script. Sometimes ago I found > this situation but I forgot to capture the screen and the traffic is UDP too > (maybe from torrent-like client)Yes it is normal! The rate tables that tc use normally have an 8 byte steps, so it is possible for up to a 56bit/s error per packet and you have 300 pps. There was a small patch submitted for tc to make the error fall on the underrate rather than overrate side, but I think it got lost in the middle of the long ATM overhead patch thread on netdev. Andy.