From owner-freebsd-security Sun Jan 23 23:38:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 8DCD514E5B for ; Sun, 23 Jan 2000 23:38:41 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id XAA07748; Sun, 23 Jan 2000 23:38:36 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id XAA63040; Sun, 23 Jan 2000 23:38:35 -0800 (PST) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id XAA21595; Sun, 23 Jan 2000 23:38:35 -0800 (PST) From: Don Lewis Message-Id: <200001240738.XAA21595@salsa.gv.tsc.tdk.com> Date: Sun, 23 Jan 2000 23:38:35 -0800 In-Reply-To: <20000123112220.E18349@above.net> References: <20000123102829.C18349@above.net> <20000123083234.N26520@fw.wintelcom.net> <20000123112220.E18349@above.net> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Richard Steenbergen , Alfred Perlstein Subject: Re: stream.c Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jan 23, 11:22am, Richard Steenbergen wrote: } Subject: Re: stream.c } On Sun, Jan 23, 2000 at 08:32:34AM -0800, Alfred Perlstein wrote: } > * Richard Steenbergen [000123 07:53] wrote: } > > } > > The correct "sorta-fix" is to rate limit the number of dropwithreset's per } > > second, else kick them down to straight drop. I believe this has been done } > > effectively in http://www.freebsd.org/~alfred/tcp_fix.diff (though I } > > question what its aimed to be accomplished with that checksum work :P). } > } > The idea is to reduce the amount of time spent doing checksums on invalid } > packets, why checksum if the destination port isn't open or no such } > connection is open? } > } > Unfortunatly even after moving the checksum quite far into tcp_input's } > path it still seems pretty easy to eat all CPU on a box, in fact I } > didn't notice any improvement at all. If the checksum was the problem, then an attacker could DoS the machine by creating a connection and sending duplicate packets. This could be trivially be done by repeatedly sending the same SYN+data. You have to do the checksum before fitting the segment into the input stream. } > Maybe i'm missing something, those interested can have a try at: } > http://www.freebsd.org/~alfred/tcp_fix_untested.diff } > } > maybe someone can tell me what i'm screwing up. } } The checksums are a pretty small amount of the CPU time burned. The RST } generation is by far the worst, the PCB hash lookups are 2nd after that. Any idea why RST generation is so bad? } And really you shouldn't be doing any work at all if the checksum is } invalid. :P To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message