From: Andi Kleen <andi@firstfloor.org>
To: Ross Vandegrift <ross@kallisti.us>
Cc: Andi Kleen <andi@firstfloor.org>,
Glenn Griffin <ggriffin.kernel@gmail.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Add IPv6 support to TCP SYN cookies
Date: Fri, 8 Feb 2008 13:07:46 +0100 [thread overview]
Message-ID: <20080208120746.GE4745@one.firstfloor.org> (raw)
In-Reply-To: <20080207194446.GA25463@kallisti.us>
On Thu, Feb 07, 2008 at 02:44:46PM -0500, Ross Vandegrift wrote:
> On Wed, Feb 06, 2008 at 09:53:57AM +0100, Andi Kleen wrote:
> > That would be useful yes -- for different bandwidths.
>
> My initial test is end-to-end 1000Mbps, but I've got a few different
> packet rates.
>
> > If the young/old heuristics do not work well enough anymore most
> > likely we should try readding RED to the syn queue again. That used
> > to be pretty effective in the early days. I don't quite remember why
> > Linux didn't end up using it in fact.
>
> I'm running juno-z with 2, 4, & 8 threads of syn flood to port 80.
> wireshark measures 2 threads at 350pps, 4 threads at 750pps, and 8
What's the total bandwidth of the attack?
> threads at 1200pps. Under no SYN flood, the server handles 750 HTTP
> requests per second, measured via httping in flood mode.
Thanks for the tests. Could you please do an additional experiment?
Use sch_em or similar to add a jittering longer latency in the connection
(as would be realistic in a real distributed DOS). Does it make a
difference?
> With a default tcp_max_syn_backlog of 1024, I can trivially prevent
> any inbound client connections with 2 threads of syn flood.
> Enabling tcp_syncookies brings the connection handling back up to 725
> fetches per second.
Yes the defaults are probably too low. That's something that should
be fixed.
>
> At these levels the CPU impact of tcp_syncookies is nothing. I can't
CPU impact of syncookies was never a concern. The problems are rather
missing flow control and disabling of valuable TCP features.
> BUG: soft lockup detected on CPU#1!
> [<c044d1ec>] softlockup_tick+0x96/0xa4
> [<c042ddb0>] update_process_times+0x39/0x5c
> [<c04196f7>] smp_apic_timer_interrupt+0x5b/0x6c
> [<c04059bf>] apic_timer_interrupt+0x1f/0x24
> [<c045007b>] taskstats_exit_send+0x152/0x371
> [<c05c007b>] netlink_kernel_create+0x5/0x11c
> [<c05a7415>] reqsk_queue_alloc+0x32/0x81
> [<c05a5aca>] lock_sock+0x8e/0x96
I think the softirqs are starving user context through the socket
lock. Probably should be fixed too. Something like softirq should
detect when there is a user and it is looping too long and should
give up the lock for some time.
-Andi
next prev parent reply other threads:[~2008-02-08 11:32 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-04 23:01 [PATCH] Add IPv6 support to TCP SYN cookies Glenn Griffin
2008-02-05 15:55 ` Andi Kleen
2008-02-05 15:42 ` Alan Cox
2008-02-05 16:39 ` Andi Kleen
2008-02-05 16:03 ` Alan Cox
2008-02-05 16:48 ` Andi Kleen
2008-02-05 16:14 ` Alan Cox
2008-02-05 20:50 ` Willy Tarreau
2008-02-05 18:29 ` Glenn Griffin
2008-02-05 19:25 ` Ross Vandegrift
2008-02-05 20:11 ` Andi Kleen
2008-02-05 21:23 ` Ross Vandegrift
2008-02-06 8:53 ` Andi Kleen
2008-02-07 19:44 ` Ross Vandegrift
2008-02-08 12:07 ` Andi Kleen [this message]
2008-02-12 20:38 ` Ross Vandegrift
2008-02-05 20:02 ` Andi Kleen
2008-02-05 20:39 ` Evgeniy Polyakov
2008-02-05 20:53 ` Andi Kleen
2008-02-05 21:50 ` Evgeniy Polyakov
2008-02-05 21:20 ` Alan Cox
2008-02-05 21:52 ` Evgeniy Polyakov
2008-02-05 21:20 ` Willy Tarreau
2008-02-05 22:05 ` Alan Cox
2008-02-06 1:52 ` Glenn Griffin
2008-02-06 7:50 ` Andi Kleen
2008-02-06 17:36 ` Glenn Griffin
2008-02-06 18:45 ` Andi Kleen
2008-02-06 23:03 ` Glenn Griffin
2008-02-06 9:13 ` Evgeniy Polyakov
2008-02-06 18:30 ` Glenn Griffin
2008-02-07 7:24 ` Evgeniy Polyakov
2008-02-07 9:40 ` Eric Dumazet
2008-02-08 5:32 ` Glenn Griffin
2008-02-08 5:49 ` Glenn Griffin
2008-02-11 16:07 ` YOSHIFUJI Hideaki / 吉藤英明
2008-02-18 23:45 ` Glenn Griffin
2008-02-13 7:31 ` YOSHIFUJI Hideaki / 吉藤英明
2008-02-05 19:57 ` Jan Engelhardt
2008-02-05 21:25 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2008-02-04 23:01 Glenn Griffin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080208120746.GE4745@one.firstfloor.org \
--to=andi@firstfloor.org \
--cc=ggriffin.kernel@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ross@kallisti.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox