From owner-freebsd-current Tue Dec 1 08:20:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA13460 for freebsd-current-outgoing; Tue, 1 Dec 1998 08:20:45 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA13455 for ; Tue, 1 Dec 1998 08:20:43 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id LAA04055; Tue, 1 Dec 1998 11:19:58 -0500 (EST) (envelope-from wollman) Date: Tue, 1 Dec 1998 11:19:58 -0500 (EST) From: Garrett Wollman Message-Id: <199812011619.LAA04055@khavrinen.lcs.mit.edu> To: Matthew Dillon Cc: "John Saunders" , Subject: Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM) In-Reply-To: <199812010708.XAA03688@apollo.backplane.com> References: <005b01be1cf6$e6368da0$6cb611cb@saruman.scitec.com.au> <199812010708.XAA03688@apollo.backplane.com> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG < said: > As far as I can tell, it starves the mbuf pool and/or outgoing > packet queues. More likely, this is a case of receive livelock -- the machine spends all of its time in interrupt mode servicing hardware interrupts and never makes it back down to soft IPL so that the network code can run and actually process the packets. Jeff Mogul at DEC Palo Alto wrote a paper about this a few years back. The right way to fix it is to actively schedule network service, so that packets are dropped in hardware when the machine is overloaded. You can check net.inet.ip.intr_queue_drops to see whether this is in fact happening. > thrown away. Furthermore, if the reply is to a non-existant > IP on the local LAN, the ICMP replies get buffered while > the machine tries to ARP the destination. We should rate-limit ARPs, but don't. > If not, the xmit > traffic goes to the switch which starts collisioning-out packets > when the router beyond the switch saturates. I'm sorry, I can't parse this. > It's a real problem. When you are receiving a 20Kpps > attack you do not want to be transmitting 20Kpps in ICMP > replies to a possibly spoofed address. Then again, when you are receiving 20kpps of legitimate traffic, you still want to behave correctly. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message