Date: Tue, 1 Dec 1998 11:19:58 -0500 (EST) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: "John Saunders" <john.saunders@scitec.com.au>, <freebsd-current@FreeBSD.ORG> Subject: Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM) Message-ID: <199812011619.LAA04055@khavrinen.lcs.mit.edu> In-Reply-To: <199812010708.XAA03688@apollo.backplane.com> References: <005b01be1cf6$e6368da0$6cb611cb@saruman.scitec.com.au> <199812010708.XAA03688@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Mon, 30 Nov 1998 23:08:50 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said: > As far as I can tell, it starves the mbuf pool and/or outgoing > packet queues. More likely, this is a case of receive livelock -- the machine spends all of its time in interrupt mode servicing hardware interrupts and never makes it back down to soft IPL so that the network code can run and actually process the packets. Jeff Mogul at DEC Palo Alto wrote a paper about this a few years back. The right way to fix it is to actively schedule network service, so that packets are dropped in hardware when the machine is overloaded. You can check net.inet.ip.intr_queue_drops to see whether this is in fact happening. > thrown away. Furthermore, if the reply is to a non-existant > IP on the local LAN, the ICMP replies get buffered while > the machine tries to ARP the destination. We should rate-limit ARPs, but don't. > If not, the xmit > traffic goes to the switch which starts collisioning-out packets > when the router beyond the switch saturates. I'm sorry, I can't parse this. > It's a real problem. When you are receiving a 20Kpps > attack you do not want to be transmitting 20Kpps in ICMP > replies to a possibly spoofed address. Then again, when you are receiving 20kpps of legitimate traffic, you still want to behave correctly. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812011619.LAA04055>