Date: 21 Sep 1999 15:58:43 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Kip Macy <kip@lyris.com> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Joao Carlos <jcarlos@bahianet.com.br>, stable@FreeBSD.ORG, questions@FreeBSD.ORG, security@FreeBSD.ORG, hitech@bahianet.com.br Subject: Re: Out of mbuf clusters Message-ID: <xzpzoygnz70.fsf@flood.ping.uio.no> In-Reply-To: Kip Macy's message of "Mon, 20 Sep 1999 11:47:54 -0700 (PDT)" References: <Pine.SOL.4.05.9909201137450.25063-100000@luna>
next in thread | previous in thread | raw e-mail | index | archive | help
Kip Macy <kip@lyris.com> writes: > This is in no way a rant against FreeBSD, but rather a rant against the > attitude that one needs to know about OS internals to run a lightweight > server. Calling what he did to that box "running a lightweight server" is a very very wide stretch of imagination. I haven't seen his CLONE program and therefore can't speak with 100% assurance, but I've run similar experiments against my own servers, so I think I'm entitled to make an educated guess about the behaviour of CLONE. It simulates a worst-case scenario for an IRC server: open hundreds of connections, log on, join a channel, but don't consume the data the server sends. This fills up the server's send queues and exhausts its mbuf pool. Memory consumption is a quadratic function of the number of clones (linear if you just connect without joining a channel). The worst thing about CLONE is that it's neither a realistic simulation of normal everyday IRC traffic (because real IRC clients consume data almost as soon as it is sent, and therefore do not fill up the server's send queues), nor of a typical attack against an IRC server (because a properly-configured IRC server does not allow a large number of connections from the same host, nor does it allow the send queues to fill up, and is therefore practically immune to this kind of attack). This is what mbuf usage looks like on a real-world IRC server with 1800 clients: root@irc ~# netstat -m 2859/9376 mbufs in use: 947 mbufs allocated to data 1912 mbufs allocated to packet headers 180/2466/8192 mbuf clusters in use (current/peak/max) 6104 Kbytes allocated to network (11% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpzoygnz70.fsf>