Date: Fri, 09 Jan 2004 16:12:34 +0100 From: Andre Oppermann <andre@freebsd.org> To: ticso@cicely.de Cc: current@freebsd.org Subject: Re: the TCP MSS resource exhaustion commit Message-ID: <3FFEC4E2.96DF5ED@freebsd.org> References: <20040109085522.GB4246@tybalt.nev.psi.de> <3FFE8232.730F70B8@freebsd.org> <20040109132453.GD2031@tybalt.nev.psi.de> <3FFEB979.3C705A85@freebsd.org> <20040109150625.GP51502@cicely12.cicely.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Bernd Walter wrote: > > On Fri, Jan 09, 2004 at 03:23:53PM +0100, Andre Oppermann wrote: > > Thorsten Greiner wrote: > > > > > > * Andre Oppermann <andre@freebsd.org> [2004-01-09 11:34]: > > > > You can simply increase net.inet.tcp.minmssoverload to any > > > > higher value. I suggest 2,000 as next step. If set it to > > > > 0 the check will be disabled entirely. > > > > > > Setting net.inet.tcp.minmssoverload to 4000 fixed my problem(s). > > > > Ok, that's an important information. > > > > > > This makes we wonder why the Oracle database server is sending > > > > so many small packets. Is your JBoss application doing connection > > > > pooling (eg. multiplexing multiple SQL sessions over one tcp > > > > session)? > > > > > > It performs connection pooling on the application layer, i.e. it > > > opens several connections and pools them to avoid reopening them. As > > > far as I understand each Oracle connection is associated with a TCP > > > connection - there is no pooling on the TCP level. > > > > Ok. Might it be that Oracle is setting the TCP_NODELAY option on > > its sending socket? I guess it is difficult to find that out... > > > > > While I have read your commit message thoroughly I am not sure I > > > have understood the consequences of the new mechanism. Will the > > > exchange of many small packets trigger a connection drop? > > > > Yes. Once you receive more than 1,000 tcp packets per second whose > > average size is below the net.inet.tcp.minmss value, then it will > > assume a malicious DoS attack. It appears that the default value > > of 1,000 is too low. > > What about ACKs from a simple TCP device such as a microcontroller? > Or slip connects with MTU of 300? > Many smaller controllers don't have enough RAM to do delayed acks > or run at MTU 1500. > Even a hand full public webservers are running on such systems! > I'm a bit worried about having such a feature enabled by default to > break TCP communication with specialised hardware. If the microcontroller doesn't have enough RAM to do delayed ACKs I highly doubt that it is capable to generate 1,000 packet per second. The detection logic only applies to TCP packets containing payload, not to ACKs or anything else. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FFEC4E2.96DF5ED>