Date: 21 Sep 1999 15:58:43 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Kip Macy <kip@lyris.com> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Joao Carlos <jcarlos@bahianet.com.br>, stable@FreeBSD.ORG, questions@FreeBSD.ORG, security@FreeBSD.ORG, hitech@bahianet.com.br Subject: Re: Out of mbuf clusters Message-ID: <xzpzoygnz70.fsf@flood.ping.uio.no> In-Reply-To: Kip Macy's message of "Mon, 20 Sep 1999 11:47:54 -0700 (PDT)" References: <Pine.SOL.4.05.9909201137450.25063-100000@luna>
next in thread | previous in thread | raw e-mail | index | archive | help
Kip Macy <kip@lyris.com> writes:
> This is in no way a rant against FreeBSD, but rather a rant against the
> attitude that one needs to know about OS internals to run a lightweight
> server.
Calling what he did to that box "running a lightweight server" is a
very very wide stretch of imagination. I haven't seen his CLONE
program and therefore can't speak with 100% assurance, but I've run
similar experiments against my own servers, so I think I'm entitled to
make an educated guess about the behaviour of CLONE. It simulates a
worst-case scenario for an IRC server: open hundreds of connections,
log on, join a channel, but don't consume the data the server sends.
This fills up the server's send queues and exhausts its mbuf pool.
Memory consumption is a quadratic function of the number of clones
(linear if you just connect without joining a channel).
The worst thing about CLONE is that it's neither a realistic
simulation of normal everyday IRC traffic (because real IRC clients
consume data almost as soon as it is sent, and therefore do not fill
up the server's send queues), nor of a typical attack against an IRC
server (because a properly-configured IRC server does not allow a
large number of connections from the same host, nor does it allow the
send queues to fill up, and is therefore practically immune to this
kind of attack).
This is what mbuf usage looks like on a real-world IRC server with
1800 clients:
root@irc ~# netstat -m
2859/9376 mbufs in use:
947 mbufs allocated to data
1912 mbufs allocated to packet headers
180/2466/8192 mbuf clusters in use (current/peak/max)
6104 Kbytes allocated to network (11% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
DES
--
Dag-Erling Smorgrav - des@flood.ping.uio.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpzoygnz70.fsf>