Fwd: Patches to improve SYN performance when under attack
gnn at neville-neil.com
Sat May 7 15:17:34 UTC 2016
Can folks take a quick look at these?
> From: Robert N. M. Watson <robert.watson at cl.cam.ac.uk>
> To: George V. Neville-Neil <gnn at neville-neil.com>
> Subject: Fwd: Patches to improve SYN performance when under attack
> Date: Wed, 27 Apr 2016 15:31:34 +0100
> Possibly something for the TCP group to talk about sometime.
>> Begin forwarded message:
>> From: Richard Clayton <richard at highwayman.com>
>> Subject: Patches to improve SYN performance when under attack
>> Date: 27 April 2016 at 15:20:20 BST
>> To: Robert Watson <robert.watson at cl.cam.ac.uk>
>> As discussed, first patch is Oct 2015, second Apr 2016
>> This patch series takes the steps to use normal TCP/DCCP ehash
>> table to store SYN_RECV requests, instead of the private per-
>> listener hash table we had until now.
>> SYNACK skb are now attached to their syn_recv request socket, so
>> that we no longer heavily modify listener sk_wmem_alloc.
>> listener lock is no longer held in fast path, including SYNCOOKIE
>> During my tests, my server was able to process 3,500,000 SYN
>> packets per second on one listener and still had available cpu
>> That is about 2 to 3 order of magnitude what we had with older
>> Last known hot point during SYNFLOOD attack is the clearing of
>> rx_opt.saw_tstamp in tcp_rcv_state_process()
>> It is not needed for a listener, so we move it where it matters.
>> Performance while a SYNFLOOD hits a single listener socket went
>> from 5 Mpps to 6 Mpps on my test server (24 cores, 8 NIC RX queues)
>> richard @ highwayman . com "Nothing seems the same
>> Still you never see the change from day to day
>> And no-one notices the customs slip away"
More information about the freebsd-transport