From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7B7FC433B4 for ; Fri, 23 Apr 2021 08:20:10 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1A65C613E1 for ; Fri, 23 Apr 2021 08:20:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1A65C613E1 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=vt.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94) (envelope-from ) id 1lZr2G-0008Lk-Ti; Fri, 23 Apr 2021 04:19:36 -0400 Received: from mail-qk1-x731.google.com ([2607:f8b0:4864:20::731]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94) (envelope-from ) id 1lZr2E-0008Lf-NZ for kernelnewbies@kernelnewbies.org; Fri, 23 Apr 2021 04:19:34 -0400 Received: by mail-qk1-x731.google.com with SMTP id e13so39065745qkl.6 for ; Fri, 23 Apr 2021 01:19:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vt-edu.20150623.gappssmtp.com; s=20150623; h=sender:from:to:cc:subject:in-reply-to:references:mime-version :content-transfer-encoding:date:message-id; bh=6+ndPliomNdrpL/B7wNW4zKdT6VVRcM6F45Yo/6Qgwo=; b=raRe3WSdvWTu/kXvf2oGPuQyUG7BqXRhgg6354giric3F6aW2oOV75gKMnWEAEmsbC PbV8kssBuN3XX/9q5Q6OjaXJX2jxH3O3dmKggr5P4kgIIR0VGj3S4Xn039/Tub49lJCx xR3/BDwrg5872lhqaPQpQIijf4BiW01u5bGCtx5+gKHR84QhZOyPEqVC1Op/r5vNsn2p slauoQRAFQUX71IQ29pZ/dvc7/qiZiErQDhveer2RfYhOY/2pSgmGe93rfh8GWN8s69s zHxFQ4fRMStjMuoywBuevDw6AY05JZQgMyaREyK1r/beWLwyDPLRVpab+JD9p15dBUAo n9bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references :mime-version:content-transfer-encoding:date:message-id; bh=6+ndPliomNdrpL/B7wNW4zKdT6VVRcM6F45Yo/6Qgwo=; b=o+uXprbXB4kxNOJ205kGGKqIkDr3zyK3pbxQYMCYczwpMEUX+Fdw/y3ZLqB1gfY/rG r7zMWebPgej/C/kytshtioMJaUKoIvljUtIeztkAlyKovIrlY0MTCoNEAulUfCb+/mgK s0GcXYkFRer44kiDPVNIqNY1x6GGRPHFBhkESBLRHRRVE+JVWq0l21/Ssf+w2Fe7cT8z K5f2FDgo9u3uGqQnQU1DXD+o2eLPfPxEcR87iDMdcY80bAhidueOrPkfbvHZqmQ1SlaO PxMukRH2N+2mYVysPM+MC1Otds7m6y87vLEOufXVkK+MXLlSx2T2JHYuSRuIoRJODorx Eg5g== X-Gm-Message-State: AOAM533jwKVRyrosCRooPTCJJcu0kU/g+jYgBkf+3dCoJ83GBNv43xX/ fL/+QAmVOAj8yPNnObjZvfd6O+043H2WOA== X-Google-Smtp-Source: ABdhPJyszC7C2g0oBjb4vzz0WE+CmrFQBsfUBa11pVLfHwBkYL2+fla4xUJzSXFNxDiJlLo6lnMghg== X-Received: by 2002:a05:620a:13ca:: with SMTP id g10mr2791632qkl.380.1619165971968; Fri, 23 Apr 2021 01:19:31 -0700 (PDT) Received: from turing-police ([2601:5c0:c380:d61::359]) by smtp.gmail.com with ESMTPSA id f7sm3949265qtv.53.2021.04.23.01.19.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Apr 2021 01:19:31 -0700 (PDT) From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" X-Google-Original-From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev To: JeongHwan Kim Subject: Re: TCP syn flooding protection In-Reply-To: <0485e030-c915-14fa-5bff-c0a0895c295b@gmail.com> References: <0485e030-c915-14fa-5bff-c0a0895c295b@gmail.com> Mime-Version: 1.0 Date: Fri, 23 Apr 2021 04:19:30 -0400 Message-ID: <191475.1619165970@turing-police> Cc: kernelnewbies@kernelnewbies.org X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============4428524788661126233==" Errors-To: kernelnewbies-bounces@kernelnewbies.org --===============4428524788661126233== Content-Type: multipart/signed; boundary="==_Exmh_1619165970_38983P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit --==_Exmh_1619165970_38983P Content-Type: text/plain; charset=us-ascii On Fri, 23 Apr 2021 15:45:54 +0900, JeongHwan Kim said: > I'm testing packet flooding test with old kernel version 2.6.30. [/usr/src/linux-next] git show v2.6.30 | grep Date Date: Tue Jun 9 20:05:37 2009 -0700 [/usr/src/linux-next] git diff --shortstat v2.6.30..HEAD 82911 files changed, 25695096 insertions(+), 6275216 deletions(-) You're almost 26 million lines and 12 years out of date. Why are you using such an old version? As GregKH will say, complain to the people who are forcing you to use such an outdated kernel version. (Another indication of how much code change has happened is that 82,911 files were changed - but there are currently only 72,245 files in the source tree) > My board experienced process starvation when injecting ICMP flood with hping3 tool. > I modified softirq invocation routine to launch ksoftirqd instead of executing do_softirq > and I limitted the speed of ethernet phy to accept below 10Mbps. What CPU are you running this on? Anything resembling modern hardware should be able to handle *much* higher data rates. Of course, if you're stuck with decade-old hardware, it's harder. But even a Sun3/50 with a 16Mhz 68020 processor back in 1986 was able to deal with 10Mbps traffic. Also, note that the critical point is the packets per second, not the bitrate of the PHY. On server-class hardware, it's trivial to get 10 gigabit/sec traffic when using MTU=9000, harder at MTU=1500, and *very* difficult to handle 10Gbit/s of 64-byte minimum size packets (even *generating* that many packets that fast requires some cleverness). > It seems that the board can process flooding ICMP packets of 10Mbps, > but the board cannot process against TCP/UDP packet flooding, > the speed of processes become slow down. Well, it *should* self-protect against TCP packet flooding by simply not sending ACK packets with sequence numbers until those sequence numbers have actually been dealt with. However, UDP doesn't have any such built-in protections. > How can I protect the TCP/UDP flooding in my environment. It's not TCP/UDP flooding that's your problem. Packet flooding *in general* is a problem. The only reason you think ICMP is working is because the per-packet overhead for handling an ICMP flood packet is much lower - UDP and TCP have to do more processing, especially if the packet is going to a port number that's actually in use. TCP packets to non-open ports are cheap to send an RST packet back, and UDP packets to non-open ports are equally cheap (but send an ICMP PORT UNREACHABLE instead), but if a TCP or UDP packet is going to an open port, there's a lot more processing that has to be done even if the packet is going to be discarded. --==_Exmh_1619165970_38983P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Comment: Exmh version 2.9.0 11/07/2018 iQIVAwUBYIKDEQdmEQWDXROgAQKt8Q/8C+rGXo+6ScNeHz06FuLw5psqH2e5PKyY N4h4zFzeJul45ywtpZR85jgwlg0+evrX9/pqHBSZrVCsXekSQlL/rCWnz70d7yPY Rh9jUmcKJinUeT5EKch/Pm8IXsD6Cuv6mICTKuVRT5Ja6khEv9Lw4Q3OBzn9/5JP uXQS7gb2D8wBYuiTqTWZm2dEE0S8omKzFZWA41Kh3xm02H5H0dSjgep+s3aCozGA motdbCHx5TaBMAuakGUzQc0lMiuADbOlEXNBOpqoWuHATVAu95d++OZNncechh57 aakdXsheNEfp0NxDpkCujeO+ZUwbIc1Iuyx3/7SdlAQzDb3G5RXUQQH7JbNIopsw GL2o1vcKCI6GYm5pZ4u06WHFeRWWTbxATW5+kft0mxE82cZJXSf8evmcuDo1J/MD 6KSZBO5/GvOE3EXWLZcRUgZxIzagEEeXTfJuTNyFUuvdTUesUKNEcWRo7cEFe6z3 NeRFRFUtMFa7WyOXHKI3cHfrJdgRyUHgh0G4fMr5z4Hclaa+WmQqr9hTU7eF9+ej v/PMTvdQ5Epbn2R+lk58zAQRVT4o2dh5MrBiEnOoOxNeUAZQWxBUGdofliuBSZiF tPkif6CJOt3VEZle4SbLY8WUwdZxzG21g0LuBj2QdZ/XBQf9A4ayy9ohzwluIQhv ASpqnXIQf1g= =xDDe -----END PGP SIGNATURE----- --==_Exmh_1619165970_38983P-- --===============4428524788661126233== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies --===============4428524788661126233==--