From owner-freebsd-net@FreeBSD.ORG Fri Jan 20 08:32:25 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFF47106566B for ; Fri, 20 Jan 2012 08:32:25 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3B3028FC08 for ; Fri, 20 Jan 2012 08:32:24 +0000 (UTC) Received: by eaai10 with SMTP id i10so107352eaa.13 for ; Fri, 20 Jan 2012 00:32:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=v22Z1j1ke29OjaWmf7jzgOAjaRvEJfdQZE6koG4GzDA=; b=dnf8XqcCET9A7UdtPcxvR7tyb4hUAGPBTHIbT5gadbdAfm1QKnmfQF2S65wrBp9AJO mtIeveUCJZY5pMz6eYBfzwqrpVtCsub1oeSPLNOpdmIUAkqzUAKU0DP0rXMd9z1CDn0Y ul1rzdvk/+DdA/+QRxBWzPtseQp5Za0uZizBw= Received: by 10.213.8.4 with SMTP id f4mr7322701ebf.23.1327048344030; Fri, 20 Jan 2012 00:32:24 -0800 (PST) Received: from ndenevsa.sf.moneybookers.net (g1.moneybookers.com. [217.18.249.148]) by mx.google.com with ESMTPS id b49sm8609242eec.9.2012.01.20.00.32.21 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 20 Jan 2012 00:32:22 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=windows-1252 From: Nikolay Denev In-Reply-To: <3008402354236887854@unknownmsgid> Date: Fri, 20 Jan 2012 10:32:23 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <7D135FA9-6503-4263-AE55-5C80F94CDF5A@gmail.com> References: <4F131A7D.4020006@zonov.org> <733BE6AF-33E0-4C16-A222-B5F5D0519194@gmail.com> <12379405.15603.1326656127893.JavaMail.mobile-sync@vbzh28> <3008402354236887854@unknownmsgid> To: Andrey Zonov X-Mailer: Apple Mail (2.1251.1) Cc: "freebsd-net@freebsd.org" Subject: Re: ICMP attacks against TCP and PMTUD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2012 08:32:25 -0000 On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote: > On 15.01.2012, at 21:35, Andrey Zonov wrote: >=20 >> This helped me: >> /boot/loader.conf >> net.inet.tcp.hostcache.hashsizee536 >> net.inet.tcp.hostcache.cachelimit=1966080 >>=20 >> Actually, this is a workaround. As I remember, real problem is in >> tcp_ctlinput(), it could not update MTU for destination IP if = hostcache >> allocation fails. tcp_hc_updatemtu() should returns NULL if >> tcp_hc_insert() returns NULL and tcp_ctlinput() should check this = case >> and sets updated MTU for this particular connection if >> tcp_hc_updatemtu() fails. Otherwise we've got infinite loop in MTU >> discovery. >>=20 >>=20 >> On 15.01.2012 22:59, Nikolay Denev wrote: >>>=20 >>> % uptime >>> 7:57PM up 608 days, 4:06, 1 user, load averages: 0.30, 0.21, 0.17 >>>=20 >>> % vmstat -z|grep hostcache >>> hostcache: 136, 15372, 15136, 236, = 44946965, 10972760 >>>=20 >>>=20 >>> Hmm=85 probably I should increase this=85. >>>=20 >>=20 >> -- >> Andrey Zonov >=20 > Thanks, I will test this asap! >=20 > Regards, > Nikolay I've upgraded from 7.3-STABLE to 8.2-STABLE and bumped significantly the = hostcache tunables. So far so good, I'll report back if I see similar traffic spikes.