From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 7 21:09:34 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 15AD816A400 for ; Wed, 7 Mar 2007 21:09:34 +0000 (UTC) (envelope-from justin@sk1llz.net) Received: from sed.awknet.com (sed.awknet.com [66.152.175.11]) by mx1.freebsd.org (Postfix) with ESMTP id EAE5B13C4B5 for ; Wed, 7 Mar 2007 21:09:33 +0000 (UTC) (envelope-from justin@sk1llz.net) Received: by sed.awknet.com (Postfix, from userid 58) id B4FFA10BBE59; Wed, 7 Mar 2007 12:55:09 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on sed.awknet.com X-Spam-Level: X-Spam-Status: No, score=-99.4 required=5.0 tests=AWL,BAYES_50,HTML_50_60, HTML_MESSAGE,USER_IN_WHITELIST autolearn=disabled version=3.1.3 Received: from vroom (cpe-76-167-105-254.socal.res.rr.com [76.167.105.254]) by sed.awknet.com (Postfix) with ESMTP id 32C7510BBD3F for ; Wed, 7 Mar 2007 12:55:07 -0800 (PST) From: "Justin Robertson" To: Date: Wed, 7 Mar 2007 12:54:49 -0800 Message-ID: <000301c760fa$df57eb40$9e07c1c0$@net> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acdg+tY/lM/GRzDGQhKK/ZmEVN5Y2g== Content-Language: en-us x-cr-hashedpuzzle: Nr0= Ai5o BZt8 B2Qv CL7k ClCR Djls FvNB GIcf G8k2 Hyto IMaJ JAf1 JgZc KOjs L3nJ; 1; ZgByAGUAZQBiAHMAZAAtAGkAcABmAHcAQABmAHIAZQBlAGIAcwBkAC4AbwByAGcA; Sosha1_v1; 7; {CE19E6ED-C95F-40F2-93BE-86BA824ECAC0}; agB1AHMAdABpAG4AQABzAGsAMQBsAGwAegAuAG4AZQB0AA==; Wed, 07 Mar 2007 20:54:45 GMT; SQBQAEYAVwAgAFMAQQBDAEsAIABvAHAAdABpAG8AbgBzAA== x-cr-puzzleid: {CE19E6ED-C95F-40F2-93BE-86BA824ECAC0} Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW SACK options X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2007 21:09:34 -0000 So I've done lots of 'worst case' benchmarks on 6.2 and 4.11 machines replicating DDoS traffic. Sadly it has become apparent that the 6 series simply cannot keep pace with the 4.11 branch. UDP floods of 28 or 29 byte packets in the 200mbps range will cause a 6.x machine to lose all internet connectivity (no in/outbound traffic, TCP, ICMP, UDP, etc). TCP floods (syn/ack/etc) net the same results at around 230mbps of traffic. TCP SYN floods with the selective ACK (SACK / sackOK) option set result in the 6.x series starting to drop packets aggressively in the 1mbps range, as you approach 100mbps point there is a total loss of all internet connectivity. 4.11 appears to deal with the UDP and TCP floods flawlessly up to full gigabit, however the TCP SYN floods with selective ACK (sackOK) cause it to lag quite badly at the 100mbps point. Adding an ipfw rule to drop these packets results in the box returning to full performance as though the flood was not in progress. Problem being you can't blanket rule these (real traffic), and there's no dynamic pps/destination measure, nor a scripted way to react quickly enough to prevent latency. (also, pipes do NOT stop the lag) Due to the nature of the current performance disparity between 6.x (I assume this is due to the work on making processes thread friendly?) and 4.11 (still kicking arse) I'm sticking with the 4.11 branch - and here comes my question. If someone is interested, could you work up an option to allow removal of the sackOK (sack permitted negotiation) on SYN packets, and then pass the SYN packet on with the tcpoption for sack stripped? If this was done for the 6/7 series I'd attempt to backport it myself to 4.11, but if someone were able to do a workup for the 4.11 branch that would truly make my day, and probably another donation to the FreeBSD fund. J (happy 4.11-RELEASE-p26 user). -Justin