From owner-freebsd-net@FreeBSD.ORG Fri May 13 05:57:01 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66E7D16A4D1 for ; Fri, 13 May 2005 05:57:01 +0000 (GMT) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.FreeBSD.org (Postfix) with SMTP id D1B9943D94 for ; Fri, 13 May 2005 05:57:00 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 50414 invoked from network); 13 May 2005 05:56:59 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 13 May 2005 05:56:59 -0000 X-pair-Authenticated: 209.68.2.70 Date: Fri, 13 May 2005 00:56:44 -0500 (CDT) From: Mike Silbersack To: Gandalf The White In-Reply-To: Message-ID: <20050513005221.S731@odysseus.silby.com> References: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1582394414-1115963804=:731" cc: freebsd-net@FreeBSD.org cc: Suleiman Souhlal Subject: Re: FreeBSD and the Rose Attack / NewDawn X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 05:57:01 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1582394414-1115963804=:731 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Thu, 12 May 2005, Gandalf The White wrote: > # patch ip_reass-20050507.diff > Recompile kernel > > I ran: > # top > > I ran the test again and CPU utilization was at close to 98% to 99% in the > interrupt column. > > Ken Brooks Davis and myself ran some tests tonight while sitting around at BSDCan and came to the conclusion that IP Reassembly overhead is not the main problem here. This conclusion was derived from the patch I've attached to this e-mail (please tell me if it gets stripped off.) On my laptop, we found that we could hit it with 14000 frags per second, and it didn't matter if those frags were all processed, or all ignored (via the net.inet.ip.maxfragspersecond sysctl). Either way, the amount of cpu time used was about the same - 70%. But on another laptop with the same processor, 8000 pps could effectively freeze it. We believe this is because the network card on that machine shares an IRQ with the sound card, making interrupt processing very expensive. So, test out my attached patch with varying settings of maxfragspersecond and see if it makes any difference for you. Thanks, Mike "Silby" Silbersack --0-1582394414-1115963804=:731 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=ip_maxfragspersecond.patch Content-Transfer-Encoding: BASE64 Content-ID: <20050513005644.N731@odysseus.silby.com> Content-Description: Content-Disposition: attachment; filename=ip_maxfragspersecond.patch ZGlmZiAtdSAtciAvdXNyL3NyYy9zeXMub2xkL25ldGluZXQvaW5fcGNiLmMg L3Vzci9zcmMvc3lzL25ldGluZXQvaW5fcGNiLmMNCi0tLSAvdXNyL3NyYy9z eXMub2xkL25ldGluZXQvaW5fcGNiLmMJU3VuIEFwciAxNyAxODowNTowNSAy MDA1DQorKysgL3Vzci9zcmMvc3lzL25ldGluZXQvaW5fcGNiLmMJVGh1IE1h eSAxMiAyMTo0NzozOSAyMDA1DQpAQCAtMTIzNCw1ICsxMjM0LDEwIEBADQog CQkJaXBwb3J0X3N0b3ByYW5kb20tLTsNCiAJfQ0KIAlpcHBvcnRfdGNwbGFz dGNvdW50ID0gaXBwb3J0X3RjcGFsbG9jczsNCisJaWYgKGlwX2N1cmZyYWdz cGVyc2Vjb25kID4gaXBfbWF4ZnJhZ3NwZXJzZWNvbmQpIHsNCisJCXByaW50 ZigiUmVjZWl2ZWQgJWQgZnJhZ3MsIGV4Y2VlZGVkICVkIHBlciBzZWNvbmRc bi4iLA0KKwkJCWlwX2N1cmZyYWdzcGVyc2Vjb25kLCBpcF9tYXhmcmFnc3Bl cnNlY29uZCk7DQorCX0NCisJaXBfY3VyZnJhZ3NwZXJzZWNvbmQgPSAwOw0K IAljYWxsb3V0X3Jlc2V0KCZpcHBvcnRfdGlja19jYWxsb3V0LCBoeiwgaXBw b3J0X3RpY2ssIE5VTEwpOw0KIH0NCmRpZmYgLXUgLXIgL3Vzci9zcmMvc3lz Lm9sZC9uZXRpbmV0L2lwX2lucHV0LmMgL3Vzci9zcmMvc3lzL25ldGluZXQv aXBfaW5wdXQuYw0KLS0tIC91c3Ivc3JjL3N5cy5vbGQvbmV0aW5ldC9pcF9p bnB1dC5jCVN1biBBcHIgMTcgMTg6MDU6MDYgMjAwNQ0KKysrIC91c3Ivc3Jj L3N5cy9uZXRpbmV0L2lwX2lucHV0LmMJVGh1IE1heSAxMiAyMTo0OTo1MiAy MDA1DQpAQCAtMTMwLDYgKzEzMCwxMiBAQA0KIAkmbWF4ZnJhZ3NwZXJwYWNr ZXQsIDAsDQogCSJNYXhpbXVtIG51bWJlciBvZiBJUHY0IGZyYWdtZW50cyBh bGxvd2VkIHBlciBwYWNrZXQiKTsNCiANCitpbnQgaXBfY3VyZnJhZ3NwZXJz ZWNvbmQ7DQoraW50IGlwX21heGZyYWdzcGVyc2Vjb25kOw0KK1NZU0NUTF9J TlQoX25ldF9pbmV0X2lwLCBPSURfQVVUTywgbWF4ZnJhZ3NwZXJzZWNvbmQs IENUTEZMQUdfUlcsDQorCSZpcF9tYXhmcmFnc3BlcnNlY29uZCwgMCwNCisJ Ik1heGltdW0gbnVtYmVyIG9mIElQdjQgZnJhZ21lbnRzIGFsbG93ZWQgcGVy IHNlY29uZCIpOw0KKw0KIHN0YXRpYyBpbnQJaXBfc2VuZHNvdXJjZXF1ZW5j aCA9IDA7DQogU1lTQ1RMX0lOVChfbmV0X2luZXRfaXAsIE9JRF9BVVRPLCBz ZW5kc291cmNlcXVlbmNoLCBDVExGTEFHX1JXLA0KIAkmaXBfc2VuZHNvdXJj ZXF1ZW5jaCwgMCwNCkBAIC0yODQsNiArMjkwLDcgQEANCiAJICAgIFRBSUxR X0lOSVQoJmlwcVtpXSk7DQogCW1heG5pcHEgPSBubWJjbHVzdGVycyAvIDMy Ow0KIAltYXhmcmFnc3BlcnBhY2tldCA9IDE2Ow0KKwlpcF9tYXhmcmFnc3Bl cnNlY29uZCA9IDEwMDsNCiANCiAJLyogU3RhcnQgaXBwb3J0X3RpY2suICov DQogCWNhbGxvdXRfaW5pdCgmaXBwb3J0X3RpY2tfY2FsbG91dCwgQ0FMTE9V VF9NUFNBRkUpOw0KQEAgLTgwMiw3ICs4MDksOSBAQA0KIAl1X3Nob3J0IGhh c2g7DQogDQogCS8qIElmIG1heG5pcHEgb3IgbWF4ZnJhZ3NwZXJwYWNrZXQg YXJlIDAsIG5ldmVyIGFjY2VwdCBmcmFnbWVudHMuICovDQotCWlmIChtYXhu aXBxID09IDAgfHwgbWF4ZnJhZ3NwZXJwYWNrZXQgPT0gMCkgew0KKwlpZiAo bWF4bmlwcSA9PSAwIHx8IG1heGZyYWdzcGVycGFja2V0ID09IDAgfHwNCisJ CWlwX2N1cmZyYWdzcGVyc2Vjb25kID49IGlwX21heGZyYWdzcGVyc2Vjb25k KSB7DQorCQlpcF9jdXJmcmFnc3BlcnNlY29uZCsrOw0KIAkJaXBzdGF0Lmlw c19mcmFnbWVudHMrKzsNCiAJCWlwc3RhdC5pcHNfZnJhZ2Ryb3BwZWQrKzsN CiAJCW1fZnJlZW0obSk7DQpAQCAtODg0LDYgKzg5Myw3IEBADQogCSAqIGlw X3JlYXNzKCkgd2lsbCByZXR1cm4gYSBkaWZmZXJlbnQgbWJ1Zi4NCiAJICov DQogCWlwc3RhdC5pcHNfZnJhZ21lbnRzKys7DQorCWlwX2N1cmZyYWdzcGVy c2Vjb25kKys7DQogCW0tPm1fcGt0aGRyLmhlYWRlciA9IGlwOw0KIA0KIAkv KiBQcmV2aW91cyBpcF9yZWFzcygpIHN0YXJ0ZWQgaGVyZS4gKi8NCkBAIC0x MDY5LDYgKzEwNzksNyBAQA0KIAlpcC0+aXBfbGVuID0gKGlwLT5pcF9obCA8 PCAyKSArIG5leHQ7DQogCWlwLT5pcF9zcmMgPSBmcC0+aXBxX3NyYzsNCiAJ aXAtPmlwX2RzdCA9IGZwLT5pcHFfZHN0Ow0KKwlpcF9jdXJmcmFnc3BlcnNl Y29uZCAtPSBmcC0+aXBxX25mcmFnczsNCiAJVEFJTFFfUkVNT1ZFKGhlYWQs IGZwLCBpcHFfbGlzdCk7DQogCW5pcHEtLTsNCiAJKHZvaWQpIG1fZnJlZShk dG9tKGZwKSk7DQpPbmx5IGluIC91c3Ivc3JjL3N5cy9uZXRpbmV0OiBpcF9p bnB1dC5jLm9sZA0KZGlmZiAtdSAtciAvdXNyL3NyYy9zeXMub2xkL25ldGlu ZXQvaXBfdmFyLmggL3Vzci9zcmMvc3lzL25ldGluZXQvaXBfdmFyLmgNCi0t LSAvdXNyL3NyYy9zeXMub2xkL25ldGluZXQvaXBfdmFyLmgJU3VuIEFwciAx NyAxODowNTowNiAyMDA1DQorKysgL3Vzci9zcmMvc3lzL25ldGluZXQvaXBf dmFyLmgJVGh1IE1heSAxMiAyMToxNjo0NyAyMDA1DQpAQCAtNjEsNiArNjEs OCBAQA0KIAlzdHJ1Y3QgbWJ1ZiAqaXBxX2ZyYWdzOwkJLyogdG8gaXAgaGVh ZGVycyBvZiBmcmFnbWVudHMgKi8NCiAJc3RydWN0CWluX2FkZHIgaXBxX3Ny YyxpcHFfZHN0Ow0KIAl1X2NoYXIJaXBxX25mcmFnczsJCS8qICMgZnJhZ3Mg aW4gdGhpcyBwYWNrZXQgKi8NCisJdV9zaG9ydCBpcHFfbGVuOwkJLyogbGVu Z3RoIG9mIGZpbmFsIHBhY2tldCAqLw0KKwl1X3Nob3J0IGlwcV9jdXJsZW47 CQkvKiBob3cgbXVjaCB3ZSd2ZSBnb3R0ZW4gc28gZmFyICovDQogCXN0cnVj dCBsYWJlbCAqaXBxX2xhYmVsOwkJLyogTUFDIGxhYmVsICovDQogfTsNCiAj ZW5kaWYgLyogX0tFUk5FTCAqLw0KQEAgLTE1Niw2ICsxNTgsOCBAQA0KIGV4 dGVybiB1X2xvbmcJKCppcF9tY2FzdF9zcmMpKGludCk7DQogZXh0ZXJuIGlu dCByc3ZwX29uOw0KIGV4dGVybiBzdHJ1Y3QJcHJfdXNycmVxcyByaXBfdXNy cmVxczsNCitleHRlcm4gaW50CWlwX2N1cmZyYWdzcGVyc2Vjb25kOw0KK2V4 dGVybiBpbnQJaXBfbWF4ZnJhZ3NwZXJzZWNvbmQ7DQogDQogaW50CSBpcF9j dGxvdXRwdXQoc3RydWN0IHNvY2tldCAqLCBzdHJ1Y3Qgc29ja29wdCAqc29w dCk7DQogdm9pZAkgaXBfZHJhaW4odm9pZCk7DQo= --0-1582394414-1115963804=:731--