Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jan 2000 16:42:02 -0700
From:      Wes Peters <wes@softweyr.com>
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        security@freebsd.org
Subject:   Re: tcp patch tests good (w/ test results) (was Re: Merged patches)
Message-ID:  <388E34CA.5FAFDA3@softweyr.com>
References:  <200001251733.JAA04770@apollo.backplane.com>  <200001251637.JAA04226@harmony.village.org>  <200001251736.KAA04666@harmony.village.org> <200001251919.LAA05907@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Matthew Dillon wrote:
> 
>     I'm testing it... oh what fun!  On a 100BaseTX switched network,
>     with a duel-cpu 450 MHz SMP box as the attacker and a UP build -current
>     box (450 MHz) as the victim (UP build so the idle times come out right):
> 
>     attacker            victim          victim          victim
>                         ICMP_BANDLIM    ICMP_BANDLIM    TCP_RESTRICT_RST
>                         output lim 100  output lim 10   enabled
>                                                         (ICMP_BANDLIM off)
> 
>     1600 pps            98% idle        98% idle        98% idle
>     6400 pps            95% idle        95% idle        95% idle
>     12800 pps           90% idle        90% idle        90% idle
>     34000 pps           74% idle        74% idle        76% idle
>     41000 pps           69% idle        70% idle        70% idle
>     58000 pps           57% idle        57% idle        58% idle
>     88000 pps           34% idle        34% idle        36% idle
>     96000 pps           28% idle        29% idle        30% idle
>     103000 pps          23% idle        23% idle        23% idle
> 
>     When I did an SMP build for the victim, it stopped responding at around
>     99000 pps, and started responding again after I stopped the attack.  Apart
>     from that the numbers were similar -- the SMP box was somewhat less
>     efficient for obvious reasons.
> 
>     I can't shove out more then 103000 pps on my attack box.  At 103000 pps
>     the network was pushing around 6.2 MBytes/sec.  I've got to run so I
>     don't have time to attack from several sources at once.
> 
>     In anycase, I think the patch can be committed.  The rest of my network
>     was idle (no multicast bounce leakage) during the test.  I leave it up
>     to Warner to decide whether to enable ICMP_BANDLIM in GENERIC by default
>     or not.  After thinking about it some more, I think I *would* enable it
>     in GENERIC.
> 
>     These boxes both have on-motherboard 'fxp' ethernets (Intel EtherExpress
>     Pro 10/100B).

Thanks, Matt, and good work.  I'll be doing the same testing here on -STABLE
later on, when I can safely leak packets to the main lan (just in case.  ;^)


-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?388E34CA.5FAFDA3>