Date: Fri, 09 Jan 2004 15:23:53 +0100 From: Andre Oppermann <andre@freebsd.org> To: Thorsten Greiner <thorsten@tgreiner.net> Cc: current@freebsd.org Subject: Re: the TCP MSS resource exhaustion commit Message-ID: <3FFEB979.3C705A85@freebsd.org> References: <20040109085522.GB4246@tybalt.nev.psi.de> <3FFE8232.730F70B8@freebsd.org> <20040109132453.GD2031@tybalt.nev.psi.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Thorsten Greiner wrote: > > * Andre Oppermann <andre@freebsd.org> [2004-01-09 11:34]: > > You can simply increase net.inet.tcp.minmssoverload to any > > higher value. I suggest 2,000 as next step. If set it to > > 0 the check will be disabled entirely. > > Setting net.inet.tcp.minmssoverload to 4000 fixed my problem(s). Ok, that's an important information. > > This makes we wonder why the Oracle database server is sending > > so many small packets. Is your JBoss application doing connection > > pooling (eg. multiplexing multiple SQL sessions over one tcp > > session)? > > It performs connection pooling on the application layer, i.e. it > opens several connections and pools them to avoid reopening them. As > far as I understand each Oracle connection is associated with a TCP > connection - there is no pooling on the TCP level. Ok. Might it be that Oracle is setting the TCP_NODELAY option on its sending socket? I guess it is difficult to find that out... > While I have read your commit message thoroughly I am not sure I > have understood the consequences of the new mechanism. Will the > exchange of many small packets trigger a connection drop? Yes. Once you receive more than 1,000 tcp packets per second whose average size is below the net.inet.tcp.minmss value, then it will assume a malicious DoS attack. It appears that the default value of 1,000 is too low. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FFEB979.3C705A85>