Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods

[RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-28
[RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-28
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Andi Kleen <hidden> · 2012-05-29
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · David Miller <davem@davemloft.net> · 2012-05-29
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Hans Schillstrom <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Hans Schillstrom <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Rick Jones <hidden> · 2012-05-30
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-31
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Hans Schillstrom <hidden> · 2012-05-31
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-31
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Hans Schillstrom <hidden> · 2012-05-31
Re: [RFC PATCH 2/2] tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-31
[RFC PATCH 1/2] tcp: extract syncookie part of tcp_v4_conn_request() · Jesper Dangaard Brouer <hidden> · 2012-05-28
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Christoph Paasch <hidden> · 2012-05-28
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-29
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Christoph Paasch <hidden> · 2012-05-29
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-30
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-30
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Christoph Paasch <hidden> · 2012-05-30
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-30
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-31
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-31
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-31
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-31
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Jesper Dangaard Brouer <hidden> · 2012-05-31
Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods · Eric Dumazet <hidden> · 2012-05-30

From: Eric Dumazet <hidden>
Date: 2012-05-31 12:58:27

On Thu, 2012-05-31 at 14:51 +0200, Jesper Dangaard Brouer wrote:

On Thu, 2012-05-31 at 00:40 +0200, Jesper Dangaard Brouer wrote:

quoted

That seems like a very unlikely situation, which we perhaps should
neglect as we are under SYN attack.

I will test the attack vector, if we instead of dropping the reqsk,
fall back into the slow locked path.

I can provoke this attack vector, and performance is worse, if not
dropping the reqsk early.

Generator SYN flood at 750Kpps, sending false retransmits mixture.

- With early drop: 406 Kpps
- With return to locked processing: 251 Kpps

Its still better than the approx 150Kpps, without any patches.

How many different IP addresses are used by your generator ?

Or maybe you disabled IP route cache ?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help