|
|
RE: [PATCH] tcp: do not create inetpeer on SYNACK message |
Hi Eric >Another problem on SYNFLOOD/DDOS attack is the inetpeer cache getting >larger and larger, using lots of memory and cpu time. > >>tcp_v4_send_synack() >->inet_csk_route_req() > ->ip_route_output_flow() > ->rt_set_nexthop() > ->rt_init_metrics() > ->inet_getpeer( create = true) > >This is a side effect of commit a4daad6b09230 (net: Pre-COW metrics for >TCP) added in 2.6.39 > >Possible solution : > >Instruct inet_csk_route_req() to remove FLOWI_FLAG_PRECOW_METRICS > It think we are on the right way now, Some results from one of our testers: before applying "reflect SYN queue_mapping into SYNACK" "(The latest one from Eric is not included. I am building with that one right now.) Results were that with the same number of SYN/s, load went down 30% on each of the three Cpus that were handling the SYNs. Great !!!" I'm looking forward to see the results of the latests patch. Then I think conntrack need a little shape up, like a "mini-conntrack" it is way to expensive to alloc a full "coontack for every SYN. I have a bunch of patches and ideas for that... Thanks Eric for a great job /Hans -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Kernel Discussion] [Ethernet Bridging] [Linux Wireless Networking] [Linux Bluetooth Networking] [Linux Networking Users] [VLAN] [Git] [IETF Annouce] [Linux Assembly] [Security] [Bugtraq] [Photo] [Singles Social Networking] [Yosemite Information] [MIPS Linux] [ARM Linux Kernel] [ARM Linux] [Linux Virtualization] [Linux Security] [Linux IDE] [Linux RAID] [Linux SCSI] [Free Dating]
|
|