Re: [dab@BSDI.COM: Re: [e2e] TCP-SYN and delayed TCB allocation]

From: Mike Silbersack (silby_at_silby.com)
Date: 05/28/03

  • Next message: kfl: "TCP for transaction" 
    Date: Wed, 28 May 2003 12:02:34 -0500 (CDT)
To: Barney Wolff <barney@databus.com>

    On Wed, 28 May 2003, Barney Wolff wrote:

    > I found this message interesting.
    > Can someone point me to the rationale for putting all conns through
    > the syncache?
    > Thanks,
    > Barney

    The main rationale is simple: Code duplication. If we kept both the
    incomplete listen queue and the syn cache, any incoming syn-ack would have
    to search both of them.

    I agree that FreeBSD's syn cache could be better, jlemon and I talked
    about incorprorating some of Yahoo's patches to it, but we haven't had
    time yet. The main problem now is that we calculate syncookies for
    everything, and that we kick entries out of the syncache in FIFO order.
    What we should do is change things around so that we never kick out
    syncache entries due to incoming packets (although we could reduce their
    lifetime during attack), and only use syncookies for connections not
    resident in the syncache.

    That would increase our efficiency while under attack, although we're
    still in decent shape right now.

    I think the main difference in opinion is that we use the syncache to
    replace the incomplete listen queue, with syncookies as the backup plan.
    BSDI apparently still uses the incomplete listen queue as the main
    mechanism, with a syncache as backup. Hence, we're both going to be
    defensive about our implementations.

    If you want to arrange a syn-floodoff, I'd be interested in seeing the
    results. :)

    Mike "Silby" Silbersack
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: kfl: "TCP for transaction"