Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Jan 2000 11:22:20 -0500
From:      Richard Steenbergen <ras@above.net>
To:        Alfred Perlstein <bright@wintelcom.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: stream.c
Message-ID:  <20000123112220.E18349@above.net>
In-Reply-To: <20000123083234.N26520@fw.wintelcom.net>; from Alfred Perlstein on Sun, Jan 23, 2000 at 08:32:34AM -0800
References:  <20000123102829.C18349@above.net> <20000123083234.N26520@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Jan 23, 2000 at 08:32:34AM -0800, Alfred Perlstein wrote:
> * Richard Steenbergen <ras@above.net> [000123 07:53] wrote:
> > 
> > The correct "sorta-fix" is to rate limit the number of dropwithreset's per
> > second, else kick them down to straight drop. I believe this has been done
> > effectively in http://www.freebsd.org/~alfred/tcp_fix.diff (though I
> > question what its aimed to be accomplished with that checksum work :P).
> 
> The idea is to reduce the amount of time spent doing checksums on invalid
> packets, why checksum if the destination port isn't open or no such
> connection is open?
> 
> Unfortunatly even after moving the checksum quite far into tcp_input's
> path it still seems pretty easy to eat all CPU on a box, in fact I
> didn't notice any improvement at all.
> 
> Maybe i'm missing something, those interested can have a try at:
> http://www.freebsd.org/~alfred/tcp_fix_untested.diff
> 
> maybe someone can tell me what i'm screwing up.

The checksums are a pretty small amount of the CPU time burned. The RST
generation is by far the worst, the PCB hash lookups are 2nd after that.

And really you shouldn't be doing any work at all if the checksum is
invalid. :P

-- 
Richard A. Steenbergen <ras@above.net>  http://users.quadrunner.com/humble
PGP Key ID: 0x60AB0AD1  (E5 35 10 1D DE 7D 8C A7  09 1C 80 8B AF B9 77 BB)
AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA
"A mind is like a parachute, it works best when open."   -- Unknown


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000123112220.E18349>