From owner-freebsd-transport@freebsd.org  Sat May  7 15:17:34 2016
Return-Path: <owner-freebsd-transport@freebsd.org>
Delivered-To: freebsd-transport@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41AA0B3160D
 for <freebsd-transport@mailman.ysv.freebsd.org>;
 Sat,  7 May 2016 15:17:34 +0000 (UTC)
 (envelope-from gnn@neville-neil.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 2D506189C
 for <freebsd-transport@freebsd.org>; Sat,  7 May 2016 15:17:34 +0000 (UTC)
 (envelope-from gnn@neville-neil.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 28DA8B3160C; Sat,  7 May 2016 15:17:34 +0000 (UTC)
Delivered-To: transport@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28855B3160B
 for <transport@mailman.ysv.freebsd.org>; Sat,  7 May 2016 15:17:34 +0000 (UTC)
 (envelope-from gnn@neville-neil.com)
Received: from smtp.hungerhost.com (smtp.hungerhost.com [216.38.51.7])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 04C2C189B
 for <transport@freebsd.org>; Sat,  7 May 2016 15:17:33 +0000 (UTC)
 (envelope-from gnn@neville-neil.com)
Received: from cpe-67-245-246-80.nyc.res.rr.com ([67.245.246.80]:39355
 helo=[10.0.1.146])
 by vps.hungerhost.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
 (Exim 4.87) (envelope-from <gnn@neville-neil.com>)
 id 1az3z2-00016f-3l
 for transport@freebsd.org; Sat, 07 May 2016 11:17:32 -0400
From: "George Neville-Neil" <gnn@neville-neil.com>
To: transport@freebsd.org
Subject: Fwd: Patches to improve SYN performance when under attack
Date: Sat, 07 May 2016 11:17:30 -0400
Message-ID: <E26F9115-4F0B-43EB-ACBD-1FE139EED611@neville-neil.com>
References: <A90DF352-44A8-45B0-A57D-D2D4474AA5BA@cl.cam.ac.uk>
MIME-Version: 1.0
X-Mailer: MailMate (1.9.4r5234)
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.hungerhost.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - neville-neil.com
X-Get-Message-Sender-Via: vps.hungerhost.com: authenticated_id:
 gnn@neville-neil.com
X-Authenticated-Sender: vps.hungerhost.com: gnn@neville-neil.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-BeenThere: freebsd-transport@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions of transport level network protocols in FreeBSD
 <freebsd-transport.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-transport>, 
 <mailto:freebsd-transport-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-transport/>
List-Post: <mailto:freebsd-transport@freebsd.org>
List-Help: <mailto:freebsd-transport-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-transport>, 
 <mailto:freebsd-transport-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 May 2016 15:17:34 -0000

Can folks take a quick look at these?

Best,
George


Forwarded message:

> From: Robert N. M. Watson <robert.watson@cl.cam.ac.uk>
> To: George V. Neville-Neil <gnn@neville-neil.com>
> Subject: Fwd: Patches to improve SYN performance when under attack
> Date: Wed, 27 Apr 2016 15:31:34 +0100
>
> Possibly something for the TCP group to talk about sometime.
>
> Robert
>
>> Begin forwarded message:
>>
>> From: Richard Clayton <richard@highwayman.com>
>> Subject: Patches to improve SYN performance when under attack
>> Date: 27 April 2016 at 15:20:20 BST
>> To: Robert Watson <robert.watson@cl.cam.ac.uk>
>>
>>
>> As discussed, first patch is Oct 2015, second Apr 2016
>>
>>
>> https://lwn.net/Articles/659199/
>>
>>     This patch series takes the steps to use normal TCP/DCCP ehash
>>     table to store SYN_RECV requests, instead of the private per-
>>     listener hash table we had until now.
>>
>>     SYNACK skb are now attached to their syn_recv request socket, so
>>     that we no longer heavily modify listener sk_wmem_alloc.
>>
>>     listener lock is no longer held in fast path, including SYNCOOKIE
>>     mode.
>>
>>     During my tests, my server was able to process 3,500,000 SYN
>>     packets per second on one listener and still had available cpu
>>     cycles.
>>
>>     That is about 2 to 3 order of magnitude what we had with older
>>     kernels.
>>
>> https://patchwork.ozlabs.org/patch/610370/
>>
>>     Last known hot point during SYNFLOOD attack is the clearing of
>>     rx_opt.saw_tstamp in tcp_rcv_state_process()
>>
>>     It is not needed for a listener, so we move it where it matters.
>>
>>     Performance while a SYNFLOOD hits a single listener socket went
>>     from 5 Mpps to 6 Mpps on my test server (24 cores, 8 NIC RX queues)
>>
>>
>>
>> -- 
>> richard @ highwayman . com                       "Nothing seems the same
>>                          Still you never see the change from day to day
>>                                And no-one notices the customs slip away"
>