Date: Sat, 21 Oct 2000 18:50:16 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: "Marius M. Rex" <marius@malkav.snowmoon.com> Cc: freeBSD-questions@FreeBSD.ORG Subject: Re: TCP-ack traffic Message-ID: <20001021185015.F28123@fw.wintelcom.net> In-Reply-To: <Pine.BSF.4.21.0010191203580.53286-100000@malkav.snowmoon.com>; from marius@malkav.snowmoon.com on Thu, Oct 19, 2000 at 12:27:00PM -0400 References: <Pine.BSF.4.21.0010191203580.53286-100000@malkav.snowmoon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Marius M. Rex <marius@malkav.snowmoon.com> [001019 09:27] wrote: > > I heard somewhere recently that Yahoo had come up with a modification to > FreeBSD to help protect against DOS attacks. It waits until the first > true byte of actual data comes through before opening a path to it's > services. Is this code available, and where so? I also heard say that it > was ported over to a Linux kernel patch. > > Basically at my company we have clustered webservers. Some clusters serve > images, others static pages, others handle databse calls, etc. We have > recently had some problems where one server in a cluster gets a request, > spawns a bunch of child processes for Apache to server the requests, but > then gets no data for a significant amount of time. (say 30 > seconds) That leaves the server that is trying to serve those requests > crunching processor time for no reason, and other servers sitting around > and doing nothing. Webservers end up acting non-responcive, and my beeper > goes off. (You see where my priorities lie, don't-cha?) > > Looking at the numbers, I think this happens to to our linux boxes > more then our FreeBSD boxes. (We have more linux boxes then FreeBSD. We > use FreeBSD for the -heavy- traffic servers, and linux for everything > else.) It may be that we just have so many more linux boxes that then > numbers are obviously skewed. Or perhaps this modification has just been > added to the FreeBSd code? (I am tracking stable) > Unfortunately I am working on rumors. If any of my babbling rings > a bell for someone, could they please point me to more info? I also want > to track down that Linux kernel patch, if I can. You want to use the accf_http/accf_data kernel modules that ship with FreeBSD 4.1.1, you can read more about them in the manpages for accept_filter(9) and setsockopt(2). If you pick up a recent copy of apache, you can run it's configure script in such a way to inform it that you are on FreeBSD and want it to use accept filters. best of luck, -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001021185015.F28123>