From: Ben Greear <greearb@candelatech.com>
To: "David S. Miller" <davem@redhat.com>
Cc: john@grabjohn.com, cfriesen@nortelnetworks.com, ahu@ds9a.nl,
linux-kernel@vger.kernel.org
Subject: Re: problems achieving decent throughput with latency.
Date: Mon, 03 Feb 2003 23:50:05 -0800 [thread overview]
Message-ID: <3E3F70AD.7060901@candelatech.com> (raw)
In-Reply-To: <20030203.211933.27826107.davem@redhat.com>
David S. Miller wrote:
> From: Ben Greear <greearb@candelatech.com>
> Date: Mon, 03 Feb 2003 10:03:48 -0800
>
> Also, if it's as simple as allocating a few more buffers for tcp, maybe we
> should consider defaulting to higher in the normal kernel? (I'm not suggesting
> **my** numbers..)
>
> The current values are the only "safe" defaults. Here "safe" means
> that if you have thousands of web connections, clients cannot force
> the serve to queue large amounts of traffic per socket.
>
> The attack goes something like: Open N thousand connections to
> server, ask for large static object, do not ACK any of the data
> packets. Server must thus hold onto N thousnad * maximum socket
> write buffer bytes amount of memory.
Why would it use the maximum socket for a connection with low to
no acks, ie low to no throughput? Seems like the connection would
have to scale up to full speed/sliding-window, which would require the DoS guy
to have large receive bandwidth, and also enough precision to stop acking
as soon as the window gets big (but before the object download has
completed.) This does not seem like a great DoS to me.
On my system, the default memory seems to be about 80k (docs say it
is based on how much memory I have (128MB)). How big can N get?
If N is 10k I can be DOS'd for only 800k?
--
Ben Greear <greearb@candelatech.com> <Ben_Greear AT excite.com>
President of Candela Technologies Inc http://www.candelatech.com
ScryMUD: http://scry.wanfear.com http://scry.wanfear.com/~greear
next prev parent reply other threads:[~2003-02-04 7:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-02 7:38 problems achieving decent throughput with latency Ben Greear
2003-02-02 11:48 ` bert hubert
2003-02-03 5:14 ` David S. Miller
2003-02-03 15:37 ` Chris Friesen
2003-02-03 16:11 ` John Bradford
2003-02-03 16:19 ` bert hubert
2003-02-03 18:03 ` Ben Greear
2003-02-03 19:18 ` Eric Weigle
2003-02-04 5:19 ` David S. Miller
2003-02-04 7:50 ` Ben Greear [this message]
2003-02-04 7:39 ` David S. Miller
2003-02-04 8:42 ` Ben Greear
2003-02-04 8:41 ` David S. Miller
2003-02-04 8:51 ` Ben Greear
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E3F70AD.7060901@candelatech.com \
--to=greearb@candelatech.com \
--cc=ahu@ds9a.nl \
--cc=cfriesen@nortelnetworks.com \
--cc=davem@redhat.com \
--cc=john@grabjohn.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox