tcp hostcache and ip fastforward for review

Andre Oppermann oppermann at
Sun Nov 9 14:47:11 PST 2003

Jonathan Mini wrote:
> On Nov 9, 2003, at 8:19 AM, Andre Oppermann wrote:
> >   - DoS attack 2: make MSS very low on local side of connection
> >     and send maaaany small packet to remote host. For every packet
> >     (eg. 2 bytes payload) a sowakeup is done to the listening
> >     process. Consumes a lot of CPU there.
> >
> This sounds as if it might be worthwhile to add a delay to
> the TF_NODELAY case for receive processing as well.

Unfortunatly it is not that easy. We can't just do that unconditionally
to all connections. It would probably break or delay many things. You
never know how much data is outstanding and whether it's just this
packet with 2 bytes outstanding...

As an application aware of this problematic you have currently two
options: use accept filters (FreeBSD only) or set SO_RCVLOWAT to some
higher value than the default 1 byte. Only the first one is workable
if you don't know what and how much the clients send to you. Relying
on the application to activate any such option to prevent this kind
of DoS is unfortunatly whishful thinking.

The code I've put in here simply caps off the extreme cases. It
counts all packets and bytes in any given second and computes the
average payload size per packet. If that is less than we have defined
for minmss it will reset and drop the connection. However it will only
start to compute the average if there are more than 1'000 packets per
second on the same tcp connection. I've chosen this quite high value
to never disconnect any ligitimate connection which just happens to
send many small packets. In my tests I've seen telnet/ssh sending
close to 100 small packets per second (some large copy-pasting and
cat'ing of many small files). Probably 500 packets per second is a
better cut-off value but I just want to be sure to never hit a false


More information about the freebsd-current mailing list