From owner-freebsd-security Sun Jan 23 8: 8:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id D736A14A17 for ; Sun, 23 Jan 2000 08:08:34 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.9.3/8.9.3) id IAA26617; Sun, 23 Jan 2000 08:32:34 -0800 (PST) Date: Sun, 23 Jan 2000 08:32:34 -0800 From: Alfred Perlstein To: Richard Steenbergen Cc: freebsd-security@FreeBSD.ORG Subject: Re: stream.c Message-ID: <20000123083234.N26520@fw.wintelcom.net> References: <20000123102829.C18349@above.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000123102829.C18349@above.net>; from ras@above.net on Sun, Jan 23, 2000 at 10:28:30AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Richard Steenbergen [000123 07:53] wrote: > > The correct "sorta-fix" is to rate limit the number of dropwithreset's per > second, else kick them down to straight drop. I believe this has been done > effectively in http://www.freebsd.org/~alfred/tcp_fix.diff (though I > question what its aimed to be accomplished with that checksum work :P). The idea is to reduce the amount of time spent doing checksums on invalid packets, why checksum if the destination port isn't open or no such connection is open? Unfortunatly even after moving the checksum quite far into tcp_input's path it still seems pretty easy to eat all CPU on a box, in fact I didn't notice any improvement at all. Maybe i'm missing something, those interested can have a try at: http://www.freebsd.org/~alfred/tcp_fix_untested.diff maybe someone can tell me what i'm screwing up. > yada yada hope this helps someone, I'm so sick of stream.c its not even > funny. :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message