Re: the TCP MSS resource exhaustion commit
From: Andre Oppermann (andre_at_freebsd.org)
Date: 01/09/04
- Previous message: Bernd Walter: "Re: the TCP MSS resource exhaustion commit"
- In reply to: Bernd Walter: "Re: the TCP MSS resource exhaustion commit"
- Next in thread: Bernd Walter: "Re: the TCP MSS resource exhaustion commit"
- Reply: Bernd Walter: "Re: the TCP MSS resource exhaustion commit"
- Reply: Dan Nelson: "Re: the TCP MSS resource exhaustion commit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 09 Jan 2004 16:12:34 +0100 To: ticso@cicely.de
Bernd Walter wrote:
>
> On Fri, Jan 09, 2004 at 03:23:53PM +0100, Andre Oppermann wrote:
> > Thorsten Greiner wrote:
> > >
> > > * Andre Oppermann <andre@freebsd.org> [2004-01-09 11:34]:
> > > > You can simply increase net.inet.tcp.minmssoverload to any
> > > > higher value. I suggest 2,000 as next step. If set it to
> > > > 0 the check will be disabled entirely.
> > >
> > > Setting net.inet.tcp.minmssoverload to 4000 fixed my problem(s).
> >
> > Ok, that's an important information.
> >
> > > > This makes we wonder why the Oracle database server is sending
> > > > so many small packets. Is your JBoss application doing connection
> > > > pooling (eg. multiplexing multiple SQL sessions over one tcp
> > > > session)?
> > >
> > > It performs connection pooling on the application layer, i.e. it
> > > opens several connections and pools them to avoid reopening them. As
> > > far as I understand each Oracle connection is associated with a TCP
> > > connection - there is no pooling on the TCP level.
> >
> > Ok. Might it be that Oracle is setting the TCP_NODELAY option on
> > its sending socket? I guess it is difficult to find that out...
> >
> > > While I have read your commit message thoroughly I am not sure I
> > > have understood the consequences of the new mechanism. Will the
> > > exchange of many small packets trigger a connection drop?
> >
> > Yes. Once you receive more than 1,000 tcp packets per second whose
> > average size is below the net.inet.tcp.minmss value, then it will
> > assume a malicious DoS attack. It appears that the default value
> > of 1,000 is too low.
>
> What about ACKs from a simple TCP device such as a microcontroller?
> Or slip connects with MTU of 300?
> Many smaller controllers don't have enough RAM to do delayed acks
> or run at MTU 1500.
> Even a hand full public webservers are running on such systems!
> I'm a bit worried about having such a feature enabled by default to
> break TCP communication with specialised hardware.
If the microcontroller doesn't have enough RAM to do delayed ACKs
I highly doubt that it is capable to generate 1,000 packet per
second.
The detection logic only applies to TCP packets containing payload,
not to ACKs or anything else.
-- Andre _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
- Previous message: Bernd Walter: "Re: the TCP MSS resource exhaustion commit"
- In reply to: Bernd Walter: "Re: the TCP MSS resource exhaustion commit"
- Next in thread: Bernd Walter: "Re: the TCP MSS resource exhaustion commit"
- Reply: Bernd Walter: "Re: the TCP MSS resource exhaustion commit"
- Reply: Dan Nelson: "Re: the TCP MSS resource exhaustion commit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
