Re: [PATCH] Add IPv6 support to TCP SYN cookies

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Andi Kleen

Subject: Re: [PATCH] Add IPv6 support to TCP SYN cookies

Date: Friday, February 8, 2008 - 5:07 am

On Thu, Feb 07, 2008 at 02:44:46PM -0500, Ross Vandegrift wrote:
quoted text> On Wed, Feb 06, 2008 at 09:53:57AM +0100, Andi Kleen wrote:
> > That would be useful yes -- for different bandwidths.
> 
> My initial test is end-to-end 1000Mbps, but I've got a few different
> packet rates.
> 
> > If the young/old heuristics do not work well enough anymore most
> > likely we should try readding RED to the syn queue again. That used
> > to be pretty effective in the early days. I don't quite remember why
> > Linux didn't end up using it in fact.
> 
> I'm running juno-z with 2, 4, & 8 threads of syn flood to port 80.
> wireshark measures 2 threads at 350pps, 4 threads at 750pps, and 8

What's the total bandwidth of the attack?

quoted text> threads at 1200pps.  Under no SYN flood, the server handles 750 HTTP
> requests per second, measured via httping in flood mode.

Thanks for the tests. Could you please do an additional experiment? 
Use sch_em or similar to add a jittering longer latency in the connection
(as would be realistic in a real distributed DOS). Does it make a
difference? 

quoted text> With a default tcp_max_syn_backlog of 1024, I can trivially prevent
> any inbound client connections with 2 threads of syn flood.
> Enabling tcp_syncookies brings the connection handling back up to 725
> fetches per second.

Yes the defaults are probably too low. That's something that should
be fixed.

quoted text> 
> At these levels the CPU impact of tcp_syncookies is nothing.  I can't

CPU impact of syncookies was never a concern. The problems are rather
missing flow control and disabling of valuable TCP features.

quoted text> BUG: soft lockup detected on CPU#1!
>  [<c044d1ec>] softlockup_tick+0x96/0xa4
>  [<c042ddb0>] update_process_times+0x39/0x5c
>  [<c04196f7>] smp_apic_timer_interrupt+0x5b/0x6c
>  [<c04059bf>] apic_timer_interrupt+0x1f/0x24
>  [<c045007b>] taskstats_exit_send+0x152/0x371
>  [<c05c007b>] netlink_kernel_create+0x5/0x11c
>  [<c05a7415>] reqsk_queue_alloc+0x32/0x81
>  [<c05a5aca>] lock_sock+0x8e/0x96

I think the softirqs are starving user context through the socket
lock.  Probably should be fixed too. Something like softirq should
detect when there is a user and it is looping too long and should
give up the lock for some time.


-Andi
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Mon Feb 4, 4:01 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Alan Cox, (Tue Feb 5, 8:42 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Tue Feb 5, 8:55 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Alan Cox, (Tue Feb 5, 9:03 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Alan Cox, (Tue Feb 5, 9:14 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Tue Feb 5, 9:39 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Tue Feb 5, 9:48 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Tue Feb 5, 11:29 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Ross Vandegrift, (Tue Feb 5, 12:25 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Jan Engelhardt, (Tue Feb 5, 12:57 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Tue Feb 5, 1:02 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Tue Feb 5, 1:11 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Evgeniy Polyakov, (Tue Feb 5, 1:39 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Willy Tarreau, (Tue Feb 5, 1:50 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Tue Feb 5, 1:53 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Alan Cox, (Tue Feb 5, 2:20 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Willy Tarreau, (Tue Feb 5, 2:20 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Ross Vandegrift, (Tue Feb 5, 2:23 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Alan Cox, (Tue Feb 5, 2:25 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Evgeniy Polyakov, (Tue Feb 5, 2:50 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Evgeniy Polyakov, (Tue Feb 5, 2:52 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Alan Cox, (Tue Feb 5, 3:05 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Tue Feb 5, 6:52 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Wed Feb 6, 12:50 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Wed Feb 6, 1:53 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Evgeniy Polyakov, (Wed Feb 6, 2:13 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Wed Feb 6, 10:36 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Wed Feb 6, 11:30 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Wed Feb 6, 11:45 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Wed Feb 6, 4:03 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Evgeniy Polyakov, (Thu Feb 7, 12:24 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Eric Dumazet, (Thu Feb 7, 2:40 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Ross Vandegrift, (Thu Feb 7, 12:44 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Thu Feb 7, 10:32 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Thu Feb 7, 10:49 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Andi Kleen, (Fri Feb 8, 5:07 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, YOSHIFUJI Hideaki / , (Mon Feb 11, 9:07 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Ross Vandegrift, (Tue Feb 12, 1:38 pm)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, YOSHIFUJI Hideaki / , (Wed Feb 13, 12:31 am)

Re: [PATCH] Add IPv6 support to TCP SYN cookies, Glenn Griffin, (Mon Feb 18, 4:45 pm)


linux-kernel:
Ingo Molnar	Re: [PATCH 0/3] v2 Make hierarchical RCU less IPI-happy and add more tracing
Jeremy Fitzhardinge	Re: Linux 2.6.28.10 and Linux 2.6.29.6 XEN Guest Support Broken x86_64 in BUILD
Nick Piggin	Re: [patch] CFS (Completely Fair Scheduler), v2
Gary Hade	Re: [PATCH 0/5][RFC] Physical PCI slot objects
Dave Johnson	Re: expected behavior of PF_PACKET on NETIF_F_HW_VLAN_RX device?
linux-netdev:
Arnd Bergmann	Re: 64-bit net_device_stats
Stephens, Allan	RE: [PATCH]: tipc: Fix oops on send prior to entering networked mode
frank.blaschka	[patch 3/5] [PATCH] qeth: support z/VM VSWITCH Port Isolation
Wu Fengguang	Re: [PATCH] dm9601: handle corrupt mac address
David Miller	Re: [PATCH net-2.6.24] Fix refcounting problem with netif_rx_reschedule()
git:
Junio C Hamano	Re: [PATCH] [RFC] add Message-ID field to log on git-am operation
Junio C Hamano	Re: Handling large files with GIT
Karl	Re: [ANNOUNCE] pg - A patch porcelain for GIT
Josh Triplett	Re: [RFC][PATCH 00/10] Sparse: Git's "make check" target
Pierre Habouzit	Re: [PATCH] git-daemon: more powerful base-path/user-path settings, using formats.
git-commits-head:
Linux Kernel Mailing List	MIPS: RBTX4939: Fix IOC pin-enable register updating
Linux Kernel Mailing List	regulator: update email address for Liam Girdwood
Linux Kernel Mailing List	[SCSI] ipr: add message to error table
Linux Kernel Mailing List	powerpc/32: Wire up the trampoline code for kdump
Linux Kernel Mailing List	USB: omap_udc: sync with OMAP tree
openbsd-misc:
Josh Grosse	Re: error : pkg add phpMyAdmin
Brian Candler	Re: OBSD's perspective on SELinux
Jacob Meuser	Re: /dev/audio: Device busy
David Vasek	Re: Inexpensive, low power, "wall wart" computer
William Boshuck	Re: Richard Stallman...