From owner-freebsd-current  Tue Dec  1 08:47:40 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA15847
          for freebsd-current-outgoing; Tue, 1 Dec 1998 08:47:40 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA15839
          for <freebsd-current@FreeBSD.ORG>; Tue, 1 Dec 1998 08:47:38 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.1/8.9.1) id IAA07545;
	Tue, 1 Dec 1998 08:47:17 -0800 (PST)
	(envelope-from dillon)
Date: Tue, 1 Dec 1998 08:47:17 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199812011647.IAA07545@apollo.backplane.com>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: "John Saunders" <john.saunders@scitec.com.au>,
        <freebsd-current@FreeBSD.ORG>
Subject: Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM)
References: <005b01be1cf6$e6368da0$6cb611cb@saruman.scitec.com.au>
	<199812010708.XAA03688@apollo.backplane.com> <199812011619.LAA04055@khavrinen.lcs.mit.edu>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

:You can check net.inet.ip.intr_queue_drops to see whether this is in
:fact happening.
    
    You asked for it :-)

shell2.ba.best.com      net.inet.ip.intr_queue_drops: 90
shell3.ba.best.com      net.inet.ip.intr_queue_drops: 0
shell4.ba.best.com      net.inet.ip.intr_queue_drops: 183
shell5.ba.best.com      net.inet.ip.intr_queue_drops: 5504
shell6.ba.best.com      net.inet.ip.intr_queue_drops: 16
shell7.ba.best.com      net.inet.ip.intr_queue_drops: 497970
shell8.ba.best.com      net.inet.ip.intr_queue_drops: 81
shell9.ba.best.com      net.inet.ip.intr_queue_drops: 5
shell10.ba.best.com     net.inet.ip.intr_queue_drops: 3
shell11.ba.best.com     net.inet.ip.intr_queue_drops: 26
shell12.ba.best.com     net.inet.ip.intr_queue_drops: 40458
shell13.ba.best.com     net.inet.ip.intr_queue_drops: 180670
shell14.ba.best.com     net.inet.ip.intr_queue_drops: 0
shell15.ba.best.com     net.inet.ip.intr_queue_drops: 3028088
shell16.ba.best.com     net.inet.ip.intr_queue_drops: 149220
shell17.ba.best.com     net.inet.ip.intr_queue_drops: 1066352
shell18.ba.best.com     net.inet.ip.intr_queue_drops: 130
shell2.la.best.com      net.inet.ip.intr_queue_drops: 195054
fpage1.ba.best.com      net.inet.ip.intr_queue_drops: 39
fpage2.ba.best.com      net.inet.ip.intr_queue_drops: 94
fpage3.ba.best.com      net.inet.ip.intr_queue_drops: 0
commerce1.ba.best.com   net.inet.ip.intr_queue_drops: 0
commerce2.ba.best.com   net.inet.ip.intr_queue_drops: 0
commerce5.ba.best.com   net.inet.ip.intr_queue_drops: 42
dweb1.ba.best.com       net.inet.ip.intr_queue_drops: 0
dweb2.ba.best.com       net.inet.ip.intr_queue_drops: 0
dweb3.ba.best.com       net.inet.ip.intr_queue_drops: 0
proxy1.ba.best.com      net.inet.ip.intr_queue_drops: 171
proxy2.ba.best.com      net.inet.ip.intr_queue_drops: 5
proxy3.ba.best.com      net.inet.ip.intr_queue_drops: 13
proxy4.ba.best.com      net.inet.ip.intr_queue_drops: 0
lists1.best.com 	net.inet.ip.intr_queue_drops: 99
news1.best.com  	net.inet.ip.intr_queue_drops: 0
news2.best.com  	net.inet.ip.intr_queue_drops: 0
nntp1.ba.best.com       net.inet.ip.intr_queue_drops: 28
kephalos.best.net       net.inet.ip.intr_queue_drops: 0
flea.best.net	   	net.inet.ip.intr_queue_drops: 347249
dns1.ba.best.net        net.inet.ip.intr_queue_drops: 493
dns2.ba.best.net        net.inet.ip.intr_queue_drops: 2965
dns3.ba.best.net        net.inet.ip.intr_queue_drops: 66203

:>     IP on the local LAN, the ICMP replies get buffered while
:>     the machine tries to ARP the destination.
:
:We should rate-limit ARPs, but don't.

    ARP's reasonably rate-limited because most subnets are /24's, it's
    the packets queued up waiting for the ARP to resolve that are the
    problem.

:>     If not, the xmit
:>     traffic goes to the switch which starts collisioning-out packets
:>     when the router beyond the switch saturates.
:
:I'm sorry, I can't parse this.

    An etherswitch has an internal packet buffer.  If the buffer fills up the
    switch will generate a collision on packets being received to try to
    slow down the transmitters (by forcing backoff/retry) while the packet
    buffer drains.

:Then again, when you are receiving 20kpps of legitimate traffic, you
:still want to behave correctly.
:
:-GAWollman

    My patch doesn't touch legit traffic, only ICMP *error* replies that
    the machine tries to generate.

					-Matt

:--
:Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
:wollman@lcs.mit.edu  | O Siem / The fires of freedom 
:Opinions not those of| Dance in the burning flame
:MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-current" in the body of the message
:

    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message