From owner-freebsd-security Tue Jan 25 15:37:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 9F99C15331 for ; Tue, 25 Jan 2000 15:37:50 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com (mailhub [198.206.181.70]) by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id PAA06376; Tue, 25 Jan 2000 15:37:18 -0800 (PST) X-Origination-Site: Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id PAA23071; Tue, 25 Jan 2000 15:37:18 -0800 Received: from softweyr.com (dyn0.utah.xylan.com [198.206.184.236]) by omni.xylan.com (8.9.3+Sun/8.9.1 (Xylan engr [SPOOL])) with ESMTP id PAA15575; Tue, 25 Jan 2000 15:37:16 -0800 (PST) Message-ID: <388E34CA.5FAFDA3@softweyr.com> Date: Tue, 25 Jan 2000 16:42:02 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Matthew Dillon Cc: security@freebsd.org Subject: Re: tcp patch tests good (w/ test results) (was Re: Merged patches) References: <200001251733.JAA04770@apollo.backplane.com> <200001251637.JAA04226@harmony.village.org> <200001251736.KAA04666@harmony.village.org> <200001251919.LAA05907@apollo.backplane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Dillon wrote: > > I'm testing it... oh what fun! On a 100BaseTX switched network, > with a duel-cpu 450 MHz SMP box as the attacker and a UP build -current > box (450 MHz) as the victim (UP build so the idle times come out right): > > attacker victim victim victim > ICMP_BANDLIM ICMP_BANDLIM TCP_RESTRICT_RST > output lim 100 output lim 10 enabled > (ICMP_BANDLIM off) > > 1600 pps 98% idle 98% idle 98% idle > 6400 pps 95% idle 95% idle 95% idle > 12800 pps 90% idle 90% idle 90% idle > 34000 pps 74% idle 74% idle 76% idle > 41000 pps 69% idle 70% idle 70% idle > 58000 pps 57% idle 57% idle 58% idle > 88000 pps 34% idle 34% idle 36% idle > 96000 pps 28% idle 29% idle 30% idle > 103000 pps 23% idle 23% idle 23% idle > > When I did an SMP build for the victim, it stopped responding at around > 99000 pps, and started responding again after I stopped the attack. Apart > from that the numbers were similar -- the SMP box was somewhat less > efficient for obvious reasons. > > I can't shove out more then 103000 pps on my attack box. At 103000 pps > the network was pushing around 6.2 MBytes/sec. I've got to run so I > don't have time to attack from several sources at once. > > In anycase, I think the patch can be committed. The rest of my network > was idle (no multicast bounce leakage) during the test. I leave it up > to Warner to decide whether to enable ICMP_BANDLIM in GENERIC by default > or not. After thinking about it some more, I think I *would* enable it > in GENERIC. > > These boxes both have on-motherboard 'fxp' ethernets (Intel EtherExpress > Pro 10/100B). Thanks, Matt, and good work. I'll be doing the same testing here on -STABLE later on, when I can safely leak packets to the main lan (just in case. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message