From: Jesper Dangaard Brouer <brouer@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andi Kleen <andi@firstfloor.org>,
netdev@vger.kernel.org,
Christoph Paasch <christoph.paasch@uclouvain.be>,
"David S. Miller" <davem@davemloft.net>,
Martin Topholm <mph@hoth.dk>, Florian Westphal <fw@strlen.de>,
Hans Schillstrom <hans.schillstrom@ericsson.com>,
Martin Topholm <mph@hoth.dk>
Subject: Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods
Date: Wed, 30 May 2012 11:24:23 +0200 [thread overview]
Message-ID: <1338369863.7747.96.camel@localhost> (raw)
In-Reply-To: <1338365702.2760.112.camel@edumazet-glaptop>
On Wed, 2012-05-30 at 10:15 +0200, Eric Dumazet wrote:
> On Wed, 2012-05-30 at 09:45 +0200, Jesper Dangaard Brouer wrote:
>
> > Sounds interesting, but TCP Fast Open is primarily concerned with
> > enabling data exchange during SYN establishment. I don't see any
> > indication that they have implemented parallel SYN handling.
> >
>
> Not at all, TCP fast open main goal is to allow connection establishment
> with a single packet (thus removing one RTT). This also removes the
> whole idea of having half-sockets (in SYN_RCV state)
>
> Then, allowing DATA in the SYN packet is an extra bonus, only if the
> whole request can fit in the packet (it is unlikely for typical http
> requests)
>
>
> > Implementing parallel SYN handling, should also benefit their work.
>
> Why do you think I am working on this ? Hint : I am a Google coworker.
Did know you work for Google, but didn't know you worked actively on
parallel SYN handling. Your previous quote "eventually in a short
time", indicated to me, that I should solve the issue my self first, and
then we would replace my code with your full solution later.
> > After studying this code path, I also see great performance benefit in
> > also optimizing the normal 3WHS on sock's in sk_state == LISTEN.
> > Perhaps we should split up the code path for LISTEN vs. ESTABLISHED, as
> > they are very entangled at the moment AFAIKS.
> >
> > > Yuchung Cheng and Jerry Chu should upstream this code in a very near
> > > future.
> >
> > Looking forward to see the code, and the fallout discussions, on
> > transferring data on SYN packets.
> >
>
> Problem is this code will be delayed if we change net-next code in this
> area, because we'll have to rebase and retest everything.
Okay, don't want to delay your work. We can wait merging my cleanup
patches, and I can take the pain of rebasing them after your work is
merged. And then we will see if my performance patches have gotten
obsolete.
I'm going to post some updated v2 patches, just because I know some
people that are desperate for a quick solution to their DDoS issues, and
are willing patch their kernels for production.
> > > Another way to mitigate SYN scalability issues before the full RCU
> > > solution I was cooking is to either :
> > >
> > > 1) Use a hardware filter (like on Intel NICS) to force all SYN packets
> > > going to one queue (so that they are all serviced on one CPU)
> > >
> > > 2) Tweak RPS (__skb_get_rxhash()) so that SYN packets rxhash is not
> > > dependent on src port/address, to get same effect (All SYN packets
> > > processed by one cpu). Note this only address the SYN flood problem, not
> > > the general 3WHS scalability one, since if real connection is
> > > established, the third packet (ACK from client) will have the 'real'
> > > rxhash and will be processed by another cpu.
> >
> > I don't like the idea of overloading one CPU with SYN packets. As the
> > attacker can still cause a DoS on new connections.
> >
>
> One CPU can handle more than one million SYN per second, while 32 cpus
> fighting on socket lock can not handle 1 % of this load.
Not sure, one CPU can handle 1Mpps on this particular path. And Hans
have some other measurements, although I'm assuming he has small CPUs.
But if you are working on the real solution, we don't need to discuss
this :-)
> If Intel chose to implement this hardware filter in their NIC, its for a
> good reason.
>
>
> > My "unlocked" parallel SYN cookie approach, should favor established
> > connections, as they are allowed to run under a BH lock, and thus don't
> > let new SYN packets in (on this CPU), until the establish conn packet is
> > finished. Unless I have misunderstood something... I think I have,
> > established connections have their own/seperate struck sock, and thus
> > this is another slock spinlock, right?. (Well let Eric bash me for
> > this ;-))
>
> It seems you forgot I have patches to have full parallelism, not only
> the SYNCOOKIE hack.
I'm so much, looking forward to this :-)
> I am still polishing them, its a _long_ process, especially if network
> tree changes a lot.
>
> If you believe you can beat me on this, please let me know so that I can
> switch to other tasks.
I don't dare to go into that battle with the network ninja, I surrender.
DaveM, Eric's patches take precedence over mine...
/me Crawing back into my cave, and switching to boring bugzilla cases of
backporting kernel patches instead...
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Sr. Network Kernel Developer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
next prev parent reply other threads:[~2012-05-30 9:24 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-28 11:52 [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods Jesper Dangaard Brouer
2012-05-28 11:52 ` [RFC PATCH 1/2] tcp: extract syncookie part of tcp_v4_conn_request() Jesper Dangaard Brouer
2012-05-28 11:52 ` [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods Jesper Dangaard Brouer
2012-05-29 19:37 ` Andi Kleen
2012-05-29 20:18 ` David Miller
2012-05-30 6:41 ` Eric Dumazet
2012-05-30 7:45 ` Jesper Dangaard Brouer
2012-05-30 8:15 ` Eric Dumazet
2012-05-30 9:24 ` Jesper Dangaard Brouer [this message]
2012-05-30 9:46 ` Eric Dumazet
2012-05-30 8:03 ` Hans Schillstrom
2012-05-30 8:24 ` Eric Dumazet
2012-05-30 11:14 ` Hans Schillstrom
2012-05-30 21:20 ` Rick Jones
2012-05-31 8:28 ` Eric Dumazet
2012-05-31 8:45 ` Hans Schillstrom
2012-05-31 14:09 ` Eric Dumazet
2012-05-31 15:31 ` Hans Schillstrom
2012-05-31 17:16 ` Eric Dumazet
2012-05-28 16:14 ` [RFC PATCH 0/2] Faster/parallel SYN " Christoph Paasch
2012-05-29 20:17 ` Jesper Dangaard Brouer
2012-05-29 20:36 ` Christoph Paasch
2012-05-30 8:44 ` Jesper Dangaard Brouer
2012-05-30 8:50 ` Eric Dumazet
2012-05-30 8:53 ` Christoph Paasch
2012-05-30 22:40 ` Jesper Dangaard Brouer
2012-05-31 12:51 ` Jesper Dangaard Brouer
2012-05-31 12:58 ` Eric Dumazet
2012-05-31 13:04 ` Jesper Dangaard Brouer
2012-05-31 13:10 ` Eric Dumazet
2012-05-31 13:24 ` Jesper Dangaard Brouer
2012-05-30 4:45 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1338369863.7747.96.camel@localhost \
--to=brouer@redhat.com \
--cc=andi@firstfloor.org \
--cc=christoph.paasch@uclouvain.be \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=fw@strlen.de \
--cc=hans.schillstrom@ericsson.com \
--cc=mph@hoth.dk \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).