|
|
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods |
On Thu, 2012-05-31 at 14:58 +0200, Eric Dumazet wrote: > On Thu, 2012-05-31 at 14:51 +0200, Jesper Dangaard Brouer wrote: > > On Thu, 2012-05-31 at 00:40 +0200, Jesper Dangaard Brouer wrote: > > > That seems like a very unlikely situation, which we perhaps should > > > neglect as we are under SYN attack. > > > > > > I will test the attack vector, if we instead of dropping the reqsk, > > > fall back into the slow locked path. > > > > I can provoke this attack vector, and performance is worse, if not > > dropping the reqsk early. > > > > Generator SYN flood at 750Kpps, sending false retransmits mixture. > > > > - With early drop: 406 Kpps > > - With return to locked processing: 251 Kpps > > > > Its still better than the approx 150Kpps, without any patches. > > > > How many different IP addresses are used by your generator ? In this attack I reduced the IPs to 255, and also the source port numbers, and then simply cloned some of the SKBs. But normally I use 65535 IPs 198.18.0.0/16 (the range reserved for benchmarking). > Or maybe you disabled IP route cache ? Why do you think I have disabled the IP dst route cache? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Kernel Discussion] [Ethernet Bridging] [Linux Wireless Networking] [Linux Bluetooth Networking] [Linux Networking Users] [VLAN] [Git] [IETF Annouce] [Linux Assembly] [Security] [Bugtraq] [Photo] [Singles Social Networking] [Yosemite Information] [MIPS Linux] [ARM Linux Kernel] [ARM Linux] [Linux Virtualization] [Linux Security] [Linux IDE] [Linux RAID] [Linux SCSI] [Free Dating]
|
|