the TCP MSS resource exhaustion commit
Dan Nelson
dnelson at allantgroup.com
Fri Jan 9 08:08:24 PST 2004
In the last episode (Jan 09), Andre Oppermann said:
> Bernd Walter wrote:
> > On Fri, Jan 09, 2004 at 03:23:53PM +0100, Andre Oppermann wrote:
> > > Thorsten Greiner wrote:
> > > > While I have read your commit message thoroughly I am not sure
> > > > I have understood the consequences of the new mechanism. Will
> > > > the exchange of many small packets trigger a connection drop?
> > >
> > > Yes. Once you receive more than 1,000 tcp packets per second
> > > whose average size is below the net.inet.tcp.minmss value, then
> > > it will assume a malicious DoS attack. It appears that the
> > > default value of 1,000 is too low.
>
> The detection logic only applies to TCP packets containing payload,
> not to ACKs or anything else.
The Oracle case was probably triggered by the ping-ponging effect that
running many small queries causes. People running MySQL as a backend
for webservers will probably trigger the same thing.
You should probably also ignore any connections originating from local
networks, ignore any connections where TCP_NODELAY is set (which will
cover the ssh case), and ignore packets where the reply has data in it
(which will cover Oracle, MySQL, xmlrpc, NFS, NIS, and any other
request-reply protocol with small packets).
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-current
mailing list