Date: Tue, 07 Nov 2000 21:05:33 -0500 (EST) From: Bosko Milekic <bmilekic@dsuper.net> To: Andre Oppermann <oppermann@telehouse.ch> Cc: arch@FreeBSD.ORG Subject: Re: Green/Yellow/Red state for the VM system. Message-ID: <Pine.BSF.4.21.0011072102190.79624-100000@jehovah.technokratis.com> In-Reply-To: <3A08A882.AA428418@telehouse.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Nov 2000, Andre Oppermann wrote: > Let's have an example: There is a DoS attack being launched with > thousands of TCP connections to some port. Now let's assume this > would use up all available KVM resources. The thousand-and-first > TCP connection cannot be handled anymore because there is no free > KVM any more. Now the INET Networking subsystem has two options: > 1) make some resources available, eg. drop all fin_wait connections, > 2) refuse to accept this connection. You forget about something. (2) has serious implications which are not favorable. The system is not only going to refuse to accept the connection, but it's going to get so wedged that it's going to start dropping packets. The idea with the "yellow" flag would be to stop accepting new connections, and rather just deal with the presently established connections. This is way better than just dropping random packets. Bosko Milekic bmilekic@technokratis.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011072102190.79624-100000>