Date: Fri, 20 Jan 2012 10:32:23 +0200 From: Nikolay Denev <ndenev@gmail.com> To: Andrey Zonov <andrey@zonov.org> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: ICMP attacks against TCP and PMTUD Message-ID: <7D135FA9-6503-4263-AE55-5C80F94CDF5A@gmail.com> In-Reply-To: <3008402354236887854@unknownmsgid> References: <EE6495BD-38D0-4EBE-9A94-7C40DC69F820@gmail.com> <4F131A7D.4020006@zonov.org> <733BE6AF-33E0-4C16-A222-B5F5D0519194@gmail.com> <12379405.15603.1326656127893.JavaMail.mobile-sync@vbzh28> <3008402354236887854@unknownmsgid>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote: > On 15.01.2012, at 21:35, Andrey Zonov <andrey@zonov.org> wrote: >=20 >> This helped me: >> /boot/loader.conf >> net.inet.tcp.hostcache.hashsizee536 >> net.inet.tcp.hostcache.cachelimit=1966080 >>=20 >> Actually, this is a workaround. As I remember, real problem is in >> tcp_ctlinput(), it could not update MTU for destination IP if = hostcache >> allocation fails. tcp_hc_updatemtu() should returns NULL if >> tcp_hc_insert() returns NULL and tcp_ctlinput() should check this = case >> and sets updated MTU for this particular connection if >> tcp_hc_updatemtu() fails. Otherwise we've got infinite loop in MTU >> discovery. >>=20 >>=20 >> On 15.01.2012 22:59, Nikolay Denev wrote: >>>=20 >>> % uptime >>> 7:57PM up 608 days, 4:06, 1 user, load averages: 0.30, 0.21, 0.17 >>>=20 >>> % vmstat -z|grep hostcache >>> hostcache: 136, 15372, 15136, 236, = 44946965, 10972760 >>>=20 >>>=20 >>> Hmm=85 probably I should increase this=85. >>>=20 >>=20 >> -- >> Andrey Zonov >=20 > Thanks, I will test this asap! >=20 > Regards, > Nikolay I've upgraded from 7.3-STABLE to 8.2-STABLE and bumped significantly the = hostcache tunables. So far so good, I'll report back if I see similar traffic spikes.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7D135FA9-6503-4263-AE55-5C80F94CDF5A>