On Fri, 2012-06-01 at 18:28 -0700, Dave Taht wrote:

On Thu, May 31, 2012 at 2:56 PM, Eric Dumazet [off-list ref] wrote:

quoted

From: Eric Dumazet <edumazet@google.com>

pfifo_fast being the default Qdisc, its pretty easy to fill it with
SYNACK (small) packets while host is under SYNFLOOD attack.

Packets of established TCP sessions are dropped and host appears almost
dead.

Avoid this problem assigning TC_PRIO_FILLER priority to SYNACK
generated in SYNCOOKIE mode, so that these packets are enqueued into
pfifo_fast band 2.

Other packets, queued to band 0 or 1 are dequeued before any SYNACK
packets waiting in band 2.

I am curious as to how well fq_codel survives an attack like this, without aid.

codel or fq_codel are not doing priority classification.

SYNACK will spread in all hash buckets and global queue limit can be
hit.

fq_codel wont protect you by itself, unless you use a hierarchy with one
"prio" and two or three "fq_codel".