svn commit: r191259 - head/sys/netinet

Robert Watson rwatson at FreeBSD.org
Mon Apr 20 10:33:06 UTC 2009


On Mon, 20 Apr 2009, Kip Macy wrote:

>> ... which means you fall back to the ordinary routing lookups, but only 
>> after you have wasted cycles to compute a hash and found out that it 
>> doesn't match anything in your cache -> in this case I would expect only a 
>> degradation in performance, not an improvement.
>
> If your normal operating conditions are DDOS then you have more serious 
> problems. I said that the system would not collapse as you were in fact 
> claiming, not that it would perform optimally.

I think a useful test case to exercise this would be to look at the 
performance of a real-world benchmark during a simulated synflood from spoofed 
source IPs in which you gradually scale up the size of the source IP pool for 
the synflood, as compared to running without the flowcache.  The overhead of 
all the flowcache misses should, presumably, be quite noticeable once it 
overflows, as it adds additional locking and lookups (both of which have 
historically been very noticeable)  I think the important question is not 
whether we can measure the overhead (if we can't then we're not testing 
right), but whether it leads to a performance collapse that didn't previously 
exist.

Robert N M Watson
Computer Laboratory
University of Cambridge


More information about the svn-src-all mailing list