the TCP MSS resource exhaustion commit
andre at freebsd.org
Fri Jan 9 07:12:50 PST 2004
Bernd Walter wrote:
> On Fri, Jan 09, 2004 at 03:23:53PM +0100, Andre Oppermann wrote:
> > Thorsten Greiner wrote:
> > >
> > > * Andre Oppermann <andre at freebsd.org> [2004-01-09 11:34]:
> > > > You can simply increase net.inet.tcp.minmssoverload to any
> > > > higher value. I suggest 2,000 as next step. If set it to
> > > > 0 the check will be disabled entirely.
> > >
> > > Setting net.inet.tcp.minmssoverload to 4000 fixed my problem(s).
> > Ok, that's an important information.
> > > > This makes we wonder why the Oracle database server is sending
> > > > so many small packets. Is your JBoss application doing connection
> > > > pooling (eg. multiplexing multiple SQL sessions over one tcp
> > > > session)?
> > >
> > > It performs connection pooling on the application layer, i.e. it
> > > opens several connections and pools them to avoid reopening them. As
> > > far as I understand each Oracle connection is associated with a TCP
> > > connection - there is no pooling on the TCP level.
> > Ok. Might it be that Oracle is setting the TCP_NODELAY option on
> > its sending socket? I guess it is difficult to find that out...
> > > While I have read your commit message thoroughly I am not sure I
> > > have understood the consequences of the new mechanism. Will the
> > > exchange of many small packets trigger a connection drop?
> > Yes. Once you receive more than 1,000 tcp packets per second whose
> > average size is below the net.inet.tcp.minmss value, then it will
> > assume a malicious DoS attack. It appears that the default value
> > of 1,000 is too low.
> What about ACKs from a simple TCP device such as a microcontroller?
> Or slip connects with MTU of 300?
> Many smaller controllers don't have enough RAM to do delayed acks
> or run at MTU 1500.
> Even a hand full public webservers are running on such systems!
> I'm a bit worried about having such a feature enabled by default to
> break TCP communication with specialised hardware.
If the microcontroller doesn't have enough RAM to do delayed ACKs
I highly doubt that it is capable to generate 1,000 packet per
The detection logic only applies to TCP packets containing payload,
not to ACKs or anything else.
More information about the freebsd-current