From owner-freebsd-questions  Sat Oct 21 18:51: 1 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id 6597F37B479
	for <freeBSD-questions@FreeBSD.ORG>; Sat, 21 Oct 2000 18:50:58 -0700 (PDT)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id e9M1oGn01964;
	Sat, 21 Oct 2000 18:50:16 -0700 (PDT)
Date: Sat, 21 Oct 2000 18:50:16 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: "Marius M. Rex" <marius@malkav.snowmoon.com>
Cc: freeBSD-questions@FreeBSD.ORG
Subject: Re: TCP-ack traffic
Message-ID: <20001021185015.F28123@fw.wintelcom.net>
References: <Pine.BSF.4.21.0010191203580.53286-100000@malkav.snowmoon.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <Pine.BSF.4.21.0010191203580.53286-100000@malkav.snowmoon.com>; from marius@malkav.snowmoon.com on Thu, Oct 19, 2000 at 12:27:00PM -0400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

* Marius M. Rex <marius@malkav.snowmoon.com> [001019 09:27] wrote:
> 
> I heard somewhere recently that Yahoo had come up with a modification to
> FreeBSD to help protect against DOS attacks.  It waits until the first
> true byte of actual data comes through before opening a path to it's
> services.  Is this code available, and where so?  I also heard say that it
> was ported over to a Linux kernel patch.   
> 
> Basically at my company we have clustered webservers.  Some clusters serve
> images, others static pages, others handle databse calls, etc.  We have
> recently had some problems where one server in a cluster gets a request,
> spawns a bunch of child processes for Apache to server the requests, but
> then gets no data for a significant amount of time. (say 30
> seconds)   That leaves the server that is trying to serve those requests
> crunching processor time for no reason, and other servers sitting around
> and doing nothing.  Webservers end up acting non-responcive, and my beeper
> goes off.  (You see where my priorities lie, don't-cha?)
> 
> 	Looking at the numbers, I think this happens to to our linux boxes
> more then our FreeBSD boxes.  (We have more linux boxes then FreeBSD.  We
> use FreeBSD for the -heavy- traffic servers, and linux for everything
> else.)  It may be that we just have so many more linux boxes that then
> numbers are obviously skewed.  Or perhaps this modification has just been 
> added to the FreeBSd code?  (I am tracking stable)    
> 	Unfortunately I am working on rumors.  If any of my babbling rings
> a bell for someone, could they please point me to more info?  I also want
> to track down that Linux kernel patch, if I can.

You want to use the accf_http/accf_data kernel modules that ship
with FreeBSD 4.1.1, you can read more about them in the manpages
for accept_filter(9) and setsockopt(2).

If you pick up a recent copy of apache, you can run it's configure
script in such a way to inform it that you are on FreeBSD and want
it to use accept filters.

best of luck,
-Alfred


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message