Date: Thu, 22 Nov 2001 13:13:54 -0600 From: Bill Fumerola <billf@mu.org> To: Jonathan Lemon <jlemon@flugsvamp.com> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/conf files src/sys/net route.h src/sys/netinet in_pcb.c in_pcb.h tcp_input.c tcp_output.c tcp_subr.c tcp_syncache.c tcp_usrreq.c tcp_var.h src/sys/netinet6 tcp6_var.h Message-ID: <20011122131354.U81711@elvis.mu.org> In-Reply-To: <20011122122609.B18433@prism.flugsvamp.com>; from jlemon@flugsvamp.com on Thu, Nov 22, 2001 at 12:26:09PM -0600 References: <200111220450.fAM4oih68928@freefall.freebsd.org> <20011122063316.J55012@squall.waterspout.com> <20011122122609.B18433@prism.flugsvamp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 22, 2001 at 12:26:09PM -0600, Jonathan Lemon wrote:
> At some point, yes; after it has gotten a better shakeout in -current.
just to add some data points...
in local, unscientific testing ps and myself were able to throw 100kpps+
of SYN at an open port on a machine running this code and still establish
legitamite connections through the noise. start adding packet loss with
ipfw (static or WFQ) of SYN packets and it could handle more.
recently, a network vendor while pimping their nextgen load balancing
product to yahoo listed one of the selling points as "windows falls over
at Xkpps of syn, but our product can terminate connections and withstand
Ykpps". Both numbers were less then half of the 100kpps number we
achieved with jlemon's syncache..
This code offers the best protection against syn floods for FreeBSD that
I've seen either in software (ipfw+dummynet, ipf, etc) or hardware (load
balancers that terminate [perform the 3 way handshake] connections,
cisco's tcp intercept, etc) solutions.
jonathan deserves several gallons of the beverage of his choice...
--
- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org
- my anger management counselor can beat up your self-affirmation therapist
ps. the exact numbers of how much it can block are dependent on the
components used in the machine and various tuning.. YMM heavily V.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011122131354.U81711>