427 Botnet fm qxd

Q: 
Is Linux or FreeBSD better for a probe? 
A: 
This is a good question.There are some tradeoffs here. For example, with
Linux there are more people working on more network device drivers or
supporting them than for FreeBSD. On the other hand, the basic sub-
system for getting packets out of the kernel is better with FreeBSD than
with Linux. (We have measured this in our lab at PSU with a high-speed
packet generator.) Phil Wood at http://public.lanl.gov/cpw has a libpcap
variation for Linux that pairs libpcap changes with the Linux kernel sup-
plied memory-mapped ring buffer for packet sniffing, and this system
(libpcap+kernel) substantially improves Linux performance. We use
FreeBSD with Intel NICs and insist on at least a dual-core CPU. At this
time, we recommend FreeBSD.
Q: 
Besides interrupts, are there other possible sources of packet loss? 
A: 
Packet loss during a DDoS attack is a difficult problem with multiple
facets. We have discovered that some NICs might simply lose packets if
too many small packets are arriving at the port. On both BSD and Linux,
the 
netstat –in
command might show possible input errors and should be
used to check your NIC to see if it has large amounts of errors.
Unfortunately, we can’t recommend anything useful here other than to try
another kind of NIC.
www.syngress.com
Advanced Ourmon Techniques • Chapter 9
343
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this
book, are designed to both measure your understanding of the concepts pre-
sented in this chapter and to assist you with real-life implementation of these
concepts. To have your questions about this chapter answered by the author,
browse to 

Download 6,98 Mb.

Do'stlaringiz bilan baham: