From owner-freebsd-security Sun Jan 23 8:22:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.iad.above.net (mail.iad.above.net [207.126.105.158]) by hub.freebsd.org (Postfix) with ESMTP id 3943A14E3B for ; Sun, 23 Jan 2000 08:22:23 -0800 (PST) (envelope-from ras@iad.above.net) Received: (from ras@localhost) by mail.iad.above.net (8.9.2/8.9.2) id LAA03945; Sun, 23 Jan 2000 11:22:20 -0500 (EST) Date: Sun, 23 Jan 2000 11:22:20 -0500 From: Richard Steenbergen To: Alfred Perlstein Cc: freebsd-security@FreeBSD.ORG Subject: Re: stream.c Message-ID: <20000123112220.E18349@above.net> References: <20000123102829.C18349@above.net> <20000123083234.N26520@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20000123083234.N26520@fw.wintelcom.net>; from Alfred Perlstein on Sun, Jan 23, 2000 at 08:32:34AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jan 23, 2000 at 08:32:34AM -0800, Alfred Perlstein wrote: > * Richard Steenbergen [000123 07:53] wrote: > > > > The correct "sorta-fix" is to rate limit the number of dropwithreset's per > > second, else kick them down to straight drop. I believe this has been done > > effectively in http://www.freebsd.org/~alfred/tcp_fix.diff (though I > > question what its aimed to be accomplished with that checksum work :P). > > The idea is to reduce the amount of time spent doing checksums on invalid > packets, why checksum if the destination port isn't open or no such > connection is open? > > Unfortunatly even after moving the checksum quite far into tcp_input's > path it still seems pretty easy to eat all CPU on a box, in fact I > didn't notice any improvement at all. > > Maybe i'm missing something, those interested can have a try at: > http://www.freebsd.org/~alfred/tcp_fix_untested.diff > > maybe someone can tell me what i'm screwing up. The checksums are a pretty small amount of the CPU time burned. The RST generation is by far the worst, the PCB hash lookups are 2nd after that. And really you shouldn't be doing any work at all if the checksum is invalid. :P -- Richard A. Steenbergen http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA "A mind is like a parachute, it works best when open." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message