From: Andi Kleen <ak@muc.de>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Breno <brenosp@brasilsec.com.br>,
Stan Bubrouski <stan@ccs.neu.edu>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Mike Fedyk <mfedyk@matchmail.com>
Subject: Re: Size of Tasks during ddos
Date: Fri, 12 Sep 2003 01:08:49 +0200 [thread overview]
Message-ID: <m3r82mkjni.fsf@averell.firstfloor.org> (raw)
In-Reply-To: <uHuj.7yv.9@gated-at.bofh.it> (Alan Cox's message of "Thu, 11 Sep 2003 23:50:11 +0200")
Alan Cox <alan@lxorguk.ukuu.org.uk> writes:
> Syn cookies accept the SYN frame and encode sufficient information into
> the reply that they can avoid storing any data until the next packet
> arrives from the other end completing the connection.
>
> That means squashing all the information we track (mss, window, etc)
> into very few bits. A modern TCP will offer large windows, selective ack
> and other features which we can't fit into a syn cookie so with this off
> a burst of traffic will cause pauses while the socket queue clears and
> negotiate fully featured TCP, with syncookies enabled many of the
> connections on the burst will not have the extra features so many not
> perform as well.
Another side effect of syncookies is that flow control for new
connections breaks: when you have a client that is connecting to a
overloaded server it will only notice this after a long timeout. With
syncookies off you get actually useful errnos back on connect().
(overloaded here doesn't necessarily mean DoS, just e.g. a single threaded
service that is taking a long time to do some job and expresses this
with a small argument to listen())
-Andi
next parent reply other threads:[~2003-09-11 23:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <um6w.4VI.5@gated-at.bofh.it>
[not found] ` <unFh.7rt.7@gated-at.bofh.it>
[not found] ` <upe3.1uM.3@gated-at.bofh.it>
[not found] ` <uyU4.7Sz.9@gated-at.bofh.it>
[not found] ` <uACA.2fO.3@gated-at.bofh.it>
[not found] ` <uDTR.7A2.35@gated-at.bofh.it>
[not found] ` <uEGe.uJ.21@gated-at.bofh.it>
[not found] ` <uHb2.76X.15@gated-at.bofh.it>
[not found] ` <uHb6.76X.29@gated-at.bofh.it>
[not found] ` <uHkC.7kf.7@gated-at.bofh.it>
[not found] ` <uHuj.7yv.9@gated-at.bofh.it>
2003-09-11 23:08 ` Andi Kleen [this message]
2003-10-11 22:34 Size of Tasks during ddos Breno
2003-09-11 0:27 ` [OT] " Joshua Kwan
2003-09-11 2:10 ` Stan Bubrouski
2003-09-11 12:33 ` Breno Silva
2003-09-11 14:19 ` Valdis.Kletnieks
2003-09-11 17:27 ` Breno
2003-09-11 18:41 ` Alan Cox
2003-09-11 21:23 ` Mike Fedyk
2003-09-11 21:26 ` Alan Cox
2003-09-11 21:30 ` Mike Fedyk
2003-09-11 21:40 ` Alan Cox
2003-09-11 22:15 ` Arjan van de Ven
[not found] ` <002801c3789e$7a665ac0$9f0210ac@forumci.com.br>
[not found] ` <1063312815.3886.0.camel@dhcp23.swansea.linux.org.uk>
2003-10-11 22:09 ` Breno
2003-09-11 22:14 ` Alan Cox
2003-09-12 15:36 ` insecure
2003-09-11 17:28 ` Mike Fedyk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m3r82mkjni.fsf@averell.firstfloor.org \
--to=ak@muc.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=brenosp@brasilsec.com.br \
--cc=linux-kernel@vger.kernel.org \
--cc=mfedyk@matchmail.com \
--cc=stan@ccs.neu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.