From owner-freebsd-hackers@FreeBSD.ORG  Sat Feb 28 22:28:54 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6C8C916A4CE
	for <freebsd-hackers@freebsd.org>;
	Sat, 28 Feb 2004 22:28:54 -0800 (PST)
Received: from aries.ai.net (aries.ai.net [205.134.163.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 00B0243D3F
	for <freebsd-hackers@freebsd.org>;
	Sat, 28 Feb 2004 22:28:54 -0800 (PST)	(envelope-from deepak@ai.net)
Received: from ai.net (mikej@pool-151-200-114-38.res.east.verizon.net
	[151.200.114.38])
	by aries.ai.net (8.9.3/8.9.3) with ESMTP id BAA23773;
	Sun, 29 Feb 2004 01:28:47 -0500 (EST)	(envelope-from deepak@ai.net)
Message-ID: <4041869E.2070208@ai.net>
Date: Sun, 29 Feb 2004 01:28:46 -0500
From: Deepak Jain <deepak@ai.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Mike Silbersack <silby@silby.com>
References: <FE045D4D9F7AED4CBFF1B3B813C85337045D8307@mail.sandvine.com>
	<20040229001251.Q11460@odysseus.silby.com>
In-Reply-To: <20040229001251.Q11460@odysseus.silby.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-hackers@freebsd.org
Subject: Re: em0, polling performance, P4 2.8ghz FSB 800mhz
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Feb 2004 06:28:54 -0000

>>You could use ipfw to limit the damage of a syn flood, e.g.
>>a keep-state rule with a limit of ~2-5 per source IP, lower the
>>timeouts, increase the hash buckets in ipfw, etc. This would
>>use a mask on src-ip of all bits.
>>something like:
>>allow tcp from any to any setup limit src-addr 2
>>
>>this would only allow 2 concurrent TCP sessions per unique
>>source address. Depends on the syn flood you are expecting
>>to experience. You could also use dummynet to shape syn
>>traffic to a fixed level i suppose.
> 
> 
> Does that really help?  If so, we need to optimize the syncache. :(
>

I know that if I rate shape the setup traffic, it helps.

DJ