From owner-freebsd-hackers  Thu Oct 18  6:14:50 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12])
	by hub.freebsd.org (Postfix) with ESMTP id D3FA037B407
	for <freebsd-hackers@freebsd.org>; Thu, 18 Oct 2001 06:14:46 -0700 (PDT)
Received: from mindspring.com (dialup-209.247.141.141.Dial1.SanJose1.Level3.net [209.247.141.141])
	by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id GAA05658;
	Thu, 18 Oct 2001 06:14:29 -0700 (PDT)
Message-ID: <3BCED5E7.3FAE9EB8@mindspring.com>
Date: Thu, 18 Oct 2001 06:15:19 -0700
From: Terry Lambert <tlambert2@mindspring.com>
Reply-To: tlambert2@mindspring.com
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Mike Silbersack <silby@silby.com>
Cc: David Malone <dwmalone@maths.tcd.ie>,
	Zhihui Zhang <zzhang@cs.binghamton.edu>, freebsd-hackers@freebsd.org
Subject: Re: Limiting closed port RST response
References: <20011017120330.H47595-100000@achilles.silby.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Mike Silbersack wrote:
> > > Could someone be port scanning you? Another possibility is that you
> > > alot of machines are trying to contact a TCP service on the machine
> > > in question, which isn't running.
> >
> > I've seen this while doing load testing.
> >
> > In general, you want the limit threshold to be higher than
> > the connections per second rate, or you will get this message.
> >
> > I have modified my code locally to crank it up to twice the
> > listen queue depth.  Frequently, you are just better off by
> > turning of the limiting entirely (there's s sysctl; look at
> > the code in netinet that emits the message, or grep sysctl -A
> > for "lim").
> 
> Wouldn't fixing your code so that it isn't dropping connections be a
> better plan?  When things are working properly, there should be no need
> for RSTs to be thrown around the network.

The problem is what to do when you are attacked.

You need to balance resiliance in the face of attack with the
ability to bear a legitimately high load.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message