Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 07 May 2016 11:17:30 -0400
From:      "George Neville-Neil" <gnn@neville-neil.com>
To:        transport@freebsd.org
Subject:   Fwd: Patches to improve SYN performance when under attack
Message-ID:  <E26F9115-4F0B-43EB-ACBD-1FE139EED611@neville-neil.com>
References:  <A90DF352-44A8-45B0-A57D-D2D4474AA5BA@cl.cam.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
Can folks take a quick look at these?

Best,
George


Forwarded message:

> From: Robert N. M. Watson <robert.watson@cl.cam.ac.uk>
> To: George V. Neville-Neil <gnn@neville-neil.com>
> Subject: Fwd: Patches to improve SYN performance when under attack
> Date: Wed, 27 Apr 2016 15:31:34 +0100
>
> Possibly something for the TCP group to talk about sometime.
>
> Robert
>
>> Begin forwarded message:
>>
>> From: Richard Clayton <richard@highwayman.com>
>> Subject: Patches to improve SYN performance when under attack
>> Date: 27 April 2016 at 15:20:20 BST
>> To: Robert Watson <robert.watson@cl.cam.ac.uk>
>>
>>
>> As discussed, first patch is Oct 2015, second Apr 2016
>>
>>
>> https://lwn.net/Articles/659199/
>>
>>     This patch series takes the steps to use normal TCP/DCCP ehash
>>     table to store SYN_RECV requests, instead of the private per-
>>     listener hash table we had until now.
>>
>>     SYNACK skb are now attached to their syn_recv request socket, so
>>     that we no longer heavily modify listener sk_wmem_alloc.
>>
>>     listener lock is no longer held in fast path, including SYNCOOKIE
>>     mode.
>>
>>     During my tests, my server was able to process 3,500,000 SYN
>>     packets per second on one listener and still had available cpu
>>     cycles.
>>
>>     That is about 2 to 3 order of magnitude what we had with older
>>     kernels.
>>
>> https://patchwork.ozlabs.org/patch/610370/
>>
>>     Last known hot point during SYNFLOOD attack is the clearing of
>>     rx_opt.saw_tstamp in tcp_rcv_state_process()
>>
>>     It is not needed for a listener, so we move it where it matters.
>>
>>     Performance while a SYNFLOOD hits a single listener socket went
>>     from 5 Mpps to 6 Mpps on my test server (24 cores, 8 NIC RX queues)
>>
>>
>>
>> -- 
>> richard @ highwayman . com                       "Nothing seems the same
>>                          Still you never see the change from day to day
>>                                And no-one notices the customs slip away"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E26F9115-4F0B-43EB-ACBD-1FE139EED611>