From owner-freebsd-current@FreeBSD.ORG Sun Nov 9 23:11:25 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCB5C16A4CE for ; Sun, 9 Nov 2003 23:11:25 -0800 (PST) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 6076043F93 for ; Sun, 9 Nov 2003 23:11:23 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 5486 invoked from network); 10 Nov 2003 07:11:21 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 10 Nov 2003 07:11:21 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 10 Nov 2003 01:11:20 -0600 (CST) From: Mike Silbersack To: Andre Oppermann In-Reply-To: <3FAE68FB.64D262FF@pipeline.ch> Message-ID: <20031110005543.C532@odysseus.silby.com> References: <3FAE68FB.64D262FF@pipeline.ch> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org cc: mb@imp.ch cc: ume@freebsd.org cc: sam@errno.com Subject: Re: tcp hostcache and ip fastforward for review X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 07:11:26 -0000 On Sun, 9 Nov 2003, Andre Oppermann wrote: > Hello all, > > this patch contains three things (to be separated for committing): I don't have much time free in the next week, so I cannot do a complete review. However, I just did a quick readthrough. > tcp_hostcache This looks good to me, I've been waiting for you to finish it for a long time. You actually missed a point: - Ensures that a cached entry isn't added until the 3WHS is completed. This should help make synfloods with random source addresses less damaging. Would it be possible to provide a way for netstat to view the host cache table? I think that it would be useful. > ip_fastforward No comment, I didn't read through this part, and I'm not familiar with the forwarding code. > tcp bug fixes and MSS DoS attack prevention Generally good, but: > - adds tcp_minmssoverload which disconnects a TCP session if > it receives too many (1000) packets per second whose average > segement size is lower than tcp_minmss > - DoS attack 2: make MSS very low on local side of connection > and send maaaany small packet to remote host. For every packet > (eg. 2 bytes payload) a sowakeup is done to the listening > process. Consumes a lot of CPU there. I don't think that your patch for this really solves anything. Anyone who would write such a program could just as easily make it use concurrent connections, have it auto-reconnect, and/or have it only send 900 packets per second. I think that you should remove this section of the patch, but leave a comment about this problem existing so that it will be thought more about in the future. After the rest of the code is in, we can brainstorm on other possible solutions... I think that Mini's idea of approaching it as an optimization is the correct one. Mike "Silby" Silbersack