Re: DoS by small packets: eth0: Too much work at interrupt, IntrStatus=0x0001.

[Bogdan Costescu <bogdan costescu iwr uni-heidelberg de>]

On Thu, 8 Jul 2004, Milan [iso-8859-2] Ker¹láger wrote:

> I have a trouble with DoS attacks to one internal machine through RHEL3
> router. It seems that a lot of small packets causing DoS (100Mbps links)
> on my router even I shut down my firewall rules.

An Internet search with "Too much work at interrupt" should have 
brought lots of hits, some of them coming from archives of the vortex 
mailing list (dealing with 3c59x driver) and being written by me.

The message is sent by the driver when it loops too much in the
interrupt routine. It is a measure to protect against the network
driver monopolizing the CPU for long periods of time when subjected to
a sustained network traffic (the interrupts are disabled while
executing the interrupt routine on UP systems). There is a module
parameter (at least for 3c59x) called "max_interrupt_work" that allows
setting a larger value, which basically says "give more priority to
handling network packets than other devices on the system".

Often, this message appears as a sign of general interrupt problems on 
the system. If one device (not the network device) raises an 
interrupt, the kernel will disable all interrupts until the driver for 
this device has processed the interrupt. During this time, packets can 
arrive from the network and will be stored (if there's enough place) 
in the Rx buffers ring; also an interrupt is raised. When the kernel 
starts the interrupt routine for the network driver, the Rx ring might 
be (close to) full and there might also be some packets waiting in the 
Tx ring too, so the driver will loop trying to process as much as 
possible at once, as calling the interrupt routine is expensive. So 
disabling of interrupts for "long" periods will also lead to this 
situation - usual suspects are disks controllers (IDE/SCSI) and serial 
lines.

Another possibility is that the network driver increases the system 
load due to its interrupt routine being called too often. NAPI is 
supposed to help in this situation; there is no NAPI support in 3c59x 
at the moment, but there are other drivers that work well with NAPI.

-- 
Bogdan Costescu

IWR - Interdisziplinaeres Zentrum fuer Wissenschaftliches Rechnen
Universitaet Heidelberg, INF 368, D-69120 Heidelberg, GERMANY
Telephone: +49 6221 54 8869, Telefax: +49 6221 54 8868
E-mail: Bogdan Costescu IWR Uni-Heidelberg De