LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Ross Vandegrift <ross@kallisti.us>
To: Andi Kleen <andi@firstfloor.org>
Cc: Glenn Griffin <ggriffin.kernel@gmail.com>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Add IPv6 support to TCP SYN cookies
Date: Tue, 12 Feb 2008 15:38:57 -0500	[thread overview]
Message-ID: <20080212203857.GA32506@kallisti.us> (raw)
In-Reply-To: <20080208120746.GE4745@one.firstfloor.org>

On Fri, Feb 08, 2008 at 01:07:46PM +0100, Andi Kleen wrote:
> On Thu, Feb 07, 2008 at 02:44:46PM -0500, Ross Vandegrift wrote:
> > On Wed, Feb 06, 2008 at 09:53:57AM +0100, Andi Kleen wrote:
> > My initial test is end-to-end 1000Mbps, but I've got a few different
> > packet rates.
> > 
> > > If the young/old heuristics do not work well enough anymore most
> > > likely we should try readding RED to the syn queue again. That used
> > > to be pretty effective in the early days. I don't quite remember why
> > > Linux didn't end up using it in fact.
> > 
> > I'm running juno-z with 2, 4, & 8 threads of syn flood to port 80.
> > wireshark measures 2 threads at 350pps, 4 threads at 750pps, and 8
> 
> What's the total bandwidth of the attack?

Sorry for the delay in getting back to you on this Andi.

Here's a breakdown for each attack of the pps and bandwidth:

packets/s	Mb/s

380		0.182 
715		0.343
1193		0.572
16460		7.896

The first three tests were done with some fixed delay inbetween syn
floods.  The last is done with all delays as small as possible.


> > threads at 1200pps.  Under no SYN flood, the server handles 750 HTTP
> > requests per second, measured via httping in flood mode.
> 
> Thanks for the tests. Could you please do an additional experiment? 
> Use sch_em or similar to add a jittering longer latency in the connection
> (as would be realistic in a real distributed DOS). Does it make a
> difference? 

Jitter on both ends makes it worse.  Jitter only on the syn flooder
end behaves approximately the same.

If I add jitter to both the flooder and the target with:
	tc qdisc add dev eth0 root netem delay 50ms 100ms distribution normal
I can kill off the host with even a single thread of syn flooding,
even with a backlog queue size of 32768.


> > With a default tcp_max_syn_backlog of 1024, I can trivially prevent
> > any inbound client connections with 2 threads of syn flood.
> > Enabling tcp_syncookies brings the connection handling back up to 725
> > fetches per second.
> 
> Yes the defaults are probably too low. That's something that should
> be fixed.

Yea, with a longer queue, the server is somewhat more resiliant.  But
it's still pretty easy to overwhelm it.  syncookies is a night and day
difference.


> > At these levels the CPU impact of tcp_syncookies is nothing.  I can't
> 
> CPU impact of syncookies was never a concern. The problems are rather
> missing flow control and disabling of valuable TCP features.

Oh definitely - Willy raised the CPU issue in another mail, I was just
including my findings with a bigger CPU.

In general I agree with you for the TCP features, but in the cases where
we're enabling syncookies, it's the difference between bad connectivity and
no connectivity.

-- 
Ross Vandegrift
ross@kallisti.us

"The good Christian should beware of mathematicians, and all those who
make empty prophecies. The danger already exists that the mathematicians
have made a covenant with the devil to darken the spirit and to confine
man in the bonds of Hell."
	--St. Augustine, De Genesi ad Litteram, Book II, xviii, 37

  reply	other threads:[~2008-02-12 20:40 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-04 23:01 Glenn Griffin
2008-02-05 15:55 ` Andi Kleen
2008-02-05 15:42   ` Alan Cox
2008-02-05 16:39     ` Andi Kleen
2008-02-05 16:03       ` Alan Cox
2008-02-05 16:48         ` Andi Kleen
2008-02-05 16:14           ` Alan Cox
2008-02-05 20:50       ` Willy Tarreau
2008-02-05 18:29   ` Glenn Griffin
2008-02-05 19:25     ` Ross Vandegrift
2008-02-05 20:11       ` Andi Kleen
2008-02-05 21:23         ` Ross Vandegrift
2008-02-06  8:53           ` Andi Kleen
2008-02-07 19:44             ` Ross Vandegrift
2008-02-08 12:07               ` Andi Kleen
2008-02-12 20:38                 ` Ross Vandegrift [this message]
2008-02-05 20:02     ` Andi Kleen
2008-02-05 20:39       ` Evgeniy Polyakov
2008-02-05 20:53         ` Andi Kleen
2008-02-05 21:50           ` Evgeniy Polyakov
2008-02-05 21:20         ` Alan Cox
2008-02-05 21:52           ` Evgeniy Polyakov
2008-02-05 21:20             ` Willy Tarreau
2008-02-05 22:05             ` Alan Cox
2008-02-06  1:52               ` Glenn Griffin
2008-02-06  7:50                 ` Andi Kleen
2008-02-06 17:36                   ` Glenn Griffin
2008-02-06 18:45                     ` Andi Kleen
2008-02-06 23:03                       ` Glenn Griffin
2008-02-06  9:13                 ` Evgeniy Polyakov
2008-02-06 18:30                   ` Glenn Griffin
2008-02-07  7:24                     ` Evgeniy Polyakov
2008-02-07  9:40                       ` Eric Dumazet
2008-02-08  5:32                         ` Glenn Griffin
2008-02-08  5:49                           ` Glenn Griffin
2008-02-11 16:07                             ` YOSHIFUJI Hideaki / 吉藤英明
2008-02-18 23:45                               ` Glenn Griffin
2008-02-13  7:31                         ` YOSHIFUJI Hideaki / 吉藤英明
2008-02-05 19:57   ` Jan Engelhardt
2008-02-05 21:25     ` Alan Cox
2008-02-04 23:01 Glenn Griffin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080212203857.GA32506@kallisti.us \
    --to=ross@kallisti.us \
    --cc=andi@firstfloor.org \
    --cc=ggriffin.kernel@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --subject='Re: [PATCH] Add IPv6 support to TCP SYN cookies' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).