[OT] Re: Size of Tasks during ddos

[OT] Re: Size of Tasks during ddos

[Joshua Kwan]

[-- Attachment #1: Type: text/plain, Size: 166 bytes --]

On Sat, Oct 11, 2003 at 07:34:28PM -0300, Breno wrote:
   ^^^^^^^^^^^^^^^^^

Sorry, but could you PLEASE fix the date on your workstation? :(

-- 
Joshua Kwan

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: [OT] Re: Size of Tasks during ddos

[Stan Bubrouski]

Joshua Kwan wrote:

> On Sat, Oct 11, 2003 at 07:34:28PM -0300, Breno wrote:
>    ^^^^^^^^^^^^^^^^^
> 
> Sorry, but could you PLEASE fix the date on your workstation? :(
> 

I concur, for months his clocked has been skewed
in different directions, Mozilla sorting by date
hates you Breno.

-sb

Re: Size of Tasks during ddos

[Breno Silva]

Sorry Stan , but i connect from many machines.

My servers are in ddos attack , what i´d like to know is about size of tasks
in memory during this kind of attack. I have some ideas to do in my kernel.

Someonde can talk about this situation ?

thanks
Breno
----- Original Message -----
From: "Stan Bubrouski" <stan@ccs.neu.edu>
To: "Joshua Kwan" <joshk@triplehelix.org>
Cc: "Breno" <brenosp@brasilsec.com.br>; "linux-kernel mailing list"
<linux-kernel@vger.kernel.org>
Sent: Wednesday, September 10, 2003 11:10 PM
Subject: Re: [OT] Re: Size of Tasks during ddos


> Joshua Kwan wrote:
>
> > On Sat, Oct 11, 2003 at 07:34:28PM -0300, Breno wrote:
> >    ^^^^^^^^^^^^^^^^^
> >
> > Sorry, but could you PLEASE fix the date on your workstation? :(
> >
>
> I concur, for months his clocked has been skewed
> in different directions, Mozilla sorting by date
> hates you Breno.
>
> -sb
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: Size of Tasks during ddos

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 584 bytes --]

On Thu, 11 Sep 2003 09:33:41 -0300, Breno Silva said:

> My servers are in ddos attack , what i´d like to know is about size of tasks
> in memory during this kind of attack. I have some ideas to do in my kernel.

The answer will differ depending whether (for example) you're being ICMP
flooded, SYN-flooded, hit with a mass of HTTP 'GET /' commands, hit with a mass
of HTTP commands that invoke a resource-intensive CGI like a database search,
and so on.

We'd really need to know what the traffic involved in the DDoS is in order to
be able to comment on memory usage.


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Size of Tasks during ddos

[Breno]

This is a Syn Flood DDoS 

att
Breno
----- Original Message ----- 
From: <Valdis.Kletnieks@vt.edu>
To: "Breno Silva" <brenosp@brasilsec.com.br>
Cc: "Stan Bubrouski" <stan@ccs.neu.edu>; <linux-kernel@vger.kernel.org>
Sent: Thursday, September 11, 2003 11:19 AM
Subject: Re: Size of Tasks during ddos 

Re: Size of Tasks during ddos

[Mike Fedyk]

On Thu, Sep 11, 2003 at 10:19:37AM -0400, Valdis.Kletnieks@vt.edu wrote:
> The answer will differ depending whether (for example) you're being ICMP
> flooded, SYN-flooded, hit with a mass of HTTP 'GET /' commands, hit with a mass
> of HTTP commands that invoke a resource-intensive CGI like a database search,
> and so on.
> 
> We'd really need to know what the traffic involved in the DDoS is in order to
> be able to comment on memory usage.

True, but it's not a ddos unless they do everything they can to disable the
target system.  Sure they could just flood your net pipe, but why do that
when you could have fewer senders and completely kill the box for a long
time while it tries to process all of your requests (assuming you're running
services accessable from the net).

Re: Size of Tasks during ddos

[Alan Cox]

On Iau, 2003-09-11 at 18:27, Breno wrote:
> This is a Syn Flood DDoS 

echo "1" >/proc/sys/net/ipv4/tcp_syncookies

End of problem.

Re: Size of Tasks during ddos

[Mike Fedyk]

On Thu, Sep 11, 2003 at 07:41:10PM +0100, Alan Cox wrote:
> On Iau, 2003-09-11 at 18:27, Breno wrote:
> > This is a Syn Flood DDoS 
> 
> echo "1" >/proc/sys/net/ipv4/tcp_syncookies
> 
> End of problem.

And why isn't this on by default when it's compiled in?

Re: Size of Tasks during ddos

[Alan Cox]

On Iau, 2003-09-11 at 22:23, Mike Fedyk wrote:
> On Thu, Sep 11, 2003 at 07:41:10PM +0100, Alan Cox wrote:
> > On Iau, 2003-09-11 at 18:27, Breno wrote:
> > > This is a Syn Flood DDoS 
> > 
> > echo "1" >/proc/sys/net/ipv4/tcp_syncookies
> > 
> > End of problem.
> 
> And why isn't this on by default when it's compiled in?

Syncookies protect you from DoS stuff but they have other side
effects on efficiency when they are in use. 

Re: Size of Tasks during ddos

[Mike Fedyk]

On Thu, Sep 11, 2003 at 10:26:19PM +0100, Alan Cox wrote:
> On Iau, 2003-09-11 at 22:23, Mike Fedyk wrote:
> > On Thu, Sep 11, 2003 at 07:41:10PM +0100, Alan Cox wrote:
> > > On Iau, 2003-09-11 at 18:27, Breno wrote:
> > > > This is a Syn Flood DDoS 
> > > 
> > > echo "1" >/proc/sys/net/ipv4/tcp_syncookies
> > > 
> > > End of problem.
> > 
> > And why isn't this on by default when it's compiled in?
> 
> Syncookies protect you from DoS stuff but they have other side
> effects on efficiency when they are in use. 

Care to point me to a thread in the archives?  I'd like to read more about
this.

Re: Size of Tasks during ddos

[Alan Cox]

On Iau, 2003-09-11 at 22:30, Mike Fedyk wrote:
> > Syncookies protect you from DoS stuff but they have other side
> > effects on efficiency when they are in use. 
> 
> Care to point me to a thread in the archives?  I'd like to read more about
> this.

Not sure offhand where the thread is. The quick summary is

Syn cookies accept the SYN frame and encode sufficient information into
the reply that they can avoid storing any data until the next packet
arrives from the other end completing the connection.

That means squashing all the information we track (mss, window, etc)
into very few bits. A modern TCP will offer large windows, selective ack
and other features which we can't fit into a syn cookie so with this off
a burst of traffic will cause pauses while the socket queue clears and
negotiate fully featured TCP,  with syncookies enabled many of the
connections on the burst will not have the extra features so many not
perform as well.

Re: Size of Tasks during ddos

[Alan Cox]

On Sad, 2003-10-11 at 23:09, Breno wrote:
> Suppose that one task during a ddos receive much data , so it can try to
> alloc much memory to control this data, or to control the list of sockets in
> listen state.

Syncookies dont allocate memory until the connection finishes the 3 way
handshake with the other side

Re: Size of Tasks during ddos

[Arjan van de Ven]

[-- Attachment #1: Type: text/plain, Size: 316 bytes --]

On Thu, 2003-09-11 at 23:23, Mike Fedyk wrote:
> On Thu, Sep 11, 2003 at 07:41:10PM +0100, Alan Cox wrote:

> 
> And why isn't this on by default when it's compiled in?

there's several reasons; one of them is a bit cheap: a webserver
benchmark done by a journalist looks a lot like a DoS in this respect ;)

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Size of Tasks during ddos

[Andi Kleen]

Alan Cox <alan@lxorguk.ukuu.org.uk> writes:

> Syn cookies accept the SYN frame and encode sufficient information into
> the reply that they can avoid storing any data until the next packet
> arrives from the other end completing the connection.
>
> That means squashing all the information we track (mss, window, etc)
> into very few bits. A modern TCP will offer large windows, selective ack
> and other features which we can't fit into a syn cookie so with this off
> a burst of traffic will cause pauses while the socket queue clears and
> negotiate fully featured TCP,  with syncookies enabled many of the
> connections on the burst will not have the extra features so many not
> perform as well.

Another side effect of syncookies is that flow control for new
connections breaks: when you have a client that is connecting to a
overloaded server it will only notice this after a long timeout. With
syncookies off you get actually useful errnos back on connect().

(overloaded here doesn't necessarily mean DoS, just e.g. a single threaded
service that is taking a long time to do some job and expresses this
with a small argument to listen())

-Andi

Re: Size of Tasks during ddos

[insecure]

On Sunday 12 October 2003 01:09, Breno wrote:
> Suppose that one task during a ddos receive much data , so it can try to
> alloc much memory to control this data, or to control the list of sockets
> in listen state.

Hi Breno,

Can you please fix your clock? Thanks
--
vda

Mail header times was: Size of Tasks during ddos

[Mike Fedyk]

On Fri, Sep 12, 2003 at 06:36:01PM +0300, insecure wrote:
> On Sunday 12 October 2003 01:09, Breno wrote:
> > Suppose that one task during a ddos receive much data , so it can try to
> > alloc much memory to control this data, or to control the list of sockets
> > in listen state.
> 
> Hi Breno,
> 
> Can you please fix your clock? Thanks

Sorting by received date is your friend.  ;)  If kmail doesn't have that,
please file a bug report.

Breno, and ntp is your friend. :-D

Re: [OT] Re: Size of Tasks during ddos

[bill davidsen]

In article <20030911002755.GA13177@triplehelix.org>,
Joshua Kwan  <joshk@triplehelix.org> wrote:
| 
| On Sat, Oct 11, 2003 at 07:34:28PM -0300, Breno wrote:
|    ^^^^^^^^^^^^^^^^^
| 
| Sorry, but could you PLEASE fix the date on your workstation? :(

His date is perfectly fine, he just needs to fix the time zone ;-)
-- 
bill davidsen <davidsen@tmr.com>
  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.

Re: Size of Tasks during ddos

[Breno]

Suppose that one task during a ddos receive much data , so it can try to
alloc much memory to control this data, or to control the list of sockets in
listen state.

att
Breno
----- Original Message -----
From: "Alan Cox" <alan@lxorguk.ukuu.org.uk>
To: "Breno" <brenosp@brasilsec.com.br>
Sent: Thursday, September 11, 2003 5:40 PM
Subject: Re: Size of Tasks during ddos


On Iau, 2003-09-11 at 20:54, Breno wrote:
> Alan
>
> This is not the point. I´d like to know about size of tasks in memory .

What does a synflood attack have to do with that. There is no reason
they should change

Size of Tasks during ddos

[Breno]

Hi

One task like a httpd or named , during a ddos attack has your size in
memory increased ?


att,
Breno