the TCP MSS resource exhaustion commit
Andre Oppermann
andre at freebsd.org
Fri Jan 9 06:24:00 PST 2004
Thorsten Greiner wrote:
>
> * Andre Oppermann <andre at freebsd.org> [2004-01-09 11:34]:
> > You can simply increase net.inet.tcp.minmssoverload to any
> > higher value. I suggest 2,000 as next step. If set it to
> > 0 the check will be disabled entirely.
>
> Setting net.inet.tcp.minmssoverload to 4000 fixed my problem(s).
Ok, that's an important information.
> > This makes we wonder why the Oracle database server is sending
> > so many small packets. Is your JBoss application doing connection
> > pooling (eg. multiplexing multiple SQL sessions over one tcp
> > session)?
>
> It performs connection pooling on the application layer, i.e. it
> opens several connections and pools them to avoid reopening them. As
> far as I understand each Oracle connection is associated with a TCP
> connection - there is no pooling on the TCP level.
Ok. Might it be that Oracle is setting the TCP_NODELAY option on
its sending socket? I guess it is difficult to find that out...
> While I have read your commit message thoroughly I am not sure I
> have understood the consequences of the new mechanism. Will the
> exchange of many small packets trigger a connection drop?
Yes. Once you receive more than 1,000 tcp packets per second whose
average size is below the net.inet.tcp.minmss value, then it will
assume a malicious DoS attack. It appears that the default value
of 1,000 is too low.
--
Andre
More information about the freebsd-current
mailing list