From: Andi Kleen <ak@muc.de>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Breno <brenosp@brasilsec.com.br>,
Stan Bubrouski <stan@ccs.neu.edu>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Mike Fedyk <mfedyk@matchmail.com>
Subject: Re: Size of Tasks during ddos
Date: Fri, 12 Sep 2003 01:08:49 +0200 [thread overview]
Message-ID: <m3r82mkjni.fsf@averell.firstfloor.org> (raw)
In-Reply-To: <uHuj.7yv.9@gated-at.bofh.it> (Alan Cox's message of "Thu, 11 Sep 2003 23:50:11 +0200")
Alan Cox <alan@lxorguk.ukuu.org.uk> writes:
> Syn cookies accept the SYN frame and encode sufficient information into
> the reply that they can avoid storing any data until the next packet
> arrives from the other end completing the connection.
>
> That means squashing all the information we track (mss, window, etc)
> into very few bits. A modern TCP will offer large windows, selective ack
> and other features which we can't fit into a syn cookie so with this off
> a burst of traffic will cause pauses while the socket queue clears and
> negotiate fully featured TCP, with syncookies enabled many of the
> connections on the burst will not have the extra features so many not
> perform as well.
Another side effect of syncookies is that flow control for new
connections breaks: when you have a client that is connecting to a
overloaded server it will only notice this after a long timeout. With
syncookies off you get actually useful errnos back on connect().
(overloaded here doesn't necessarily mean DoS, just e.g. a single threaded
service that is taking a long time to do some job and expresses this
with a small argument to listen())
-Andi
next parent reply other threads:[~2003-09-11 23:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <um6w.4VI.5@gated-at.bofh.it>
[not found] ` <unFh.7rt.7@gated-at.bofh.it>
[not found] ` <upe3.1uM.3@gated-at.bofh.it>
[not found] ` <uyU4.7Sz.9@gated-at.bofh.it>
[not found] ` <uACA.2fO.3@gated-at.bofh.it>
[not found] ` <uDTR.7A2.35@gated-at.bofh.it>
[not found] ` <uEGe.uJ.21@gated-at.bofh.it>
[not found] ` <uHb2.76X.15@gated-at.bofh.it>
[not found] ` <uHb6.76X.29@gated-at.bofh.it>
[not found] ` <uHkC.7kf.7@gated-at.bofh.it>
[not found] ` <uHuj.7yv.9@gated-at.bofh.it>
2003-09-11 23:08 ` Andi Kleen [this message]
2003-10-11 22:34 Size of Tasks during ddos Breno
2003-09-11 0:27 ` [OT] " Joshua Kwan
2003-09-11 2:10 ` Stan Bubrouski
2003-09-11 12:33 ` Breno Silva
2003-09-11 14:19 ` Valdis.Kletnieks
2003-09-11 17:27 ` Breno
2003-09-11 18:41 ` Alan Cox
2003-09-11 21:23 ` Mike Fedyk
2003-09-11 21:26 ` Alan Cox
2003-09-11 21:30 ` Mike Fedyk
2003-09-11 21:40 ` Alan Cox
2003-09-11 22:15 ` Arjan van de Ven
[not found] ` <002801c3789e$7a665ac0$9f0210ac@forumci.com.br>
[not found] ` <1063312815.3886.0.camel@dhcp23.swansea.linux.org.uk>
2003-10-11 22:09 ` Breno
2003-09-11 22:14 ` Alan Cox
2003-09-12 15:36 ` insecure
2003-09-11 17:28 ` Mike Fedyk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m3r82mkjni.fsf@averell.firstfloor.org \
--to=ak@muc.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=brenosp@brasilsec.com.br \
--cc=linux-kernel@vger.kernel.org \
--cc=mfedyk@matchmail.com \
--cc=stan@ccs.neu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox