Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Dec 1998 08:47:17 -0800 (PST)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc:        "John Saunders" <john.saunders@scitec.com.au>, <freebsd-current@FreeBSD.ORG>
Subject:   Re: RE: D.O.S. attack protection enhancements commit (ICMP_BANDLIM)
Message-ID:  <199812011647.IAA07545@apollo.backplane.com>
References:  <005b01be1cf6$e6368da0$6cb611cb@saruman.scitec.com.au> <199812010708.XAA03688@apollo.backplane.com> <199812011619.LAA04055@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
:You can check net.inet.ip.intr_queue_drops to see whether this is in
:fact happening.
    
    You asked for it :-)

shell2.ba.best.com      net.inet.ip.intr_queue_drops: 90
shell3.ba.best.com      net.inet.ip.intr_queue_drops: 0
shell4.ba.best.com      net.inet.ip.intr_queue_drops: 183
shell5.ba.best.com      net.inet.ip.intr_queue_drops: 5504
shell6.ba.best.com      net.inet.ip.intr_queue_drops: 16
shell7.ba.best.com      net.inet.ip.intr_queue_drops: 497970
shell8.ba.best.com      net.inet.ip.intr_queue_drops: 81
shell9.ba.best.com      net.inet.ip.intr_queue_drops: 5
shell10.ba.best.com     net.inet.ip.intr_queue_drops: 3
shell11.ba.best.com     net.inet.ip.intr_queue_drops: 26
shell12.ba.best.com     net.inet.ip.intr_queue_drops: 40458
shell13.ba.best.com     net.inet.ip.intr_queue_drops: 180670
shell14.ba.best.com     net.inet.ip.intr_queue_drops: 0
shell15.ba.best.com     net.inet.ip.intr_queue_drops: 3028088
shell16.ba.best.com     net.inet.ip.intr_queue_drops: 149220
shell17.ba.best.com     net.inet.ip.intr_queue_drops: 1066352
shell18.ba.best.com     net.inet.ip.intr_queue_drops: 130
shell2.la.best.com      net.inet.ip.intr_queue_drops: 195054
fpage1.ba.best.com      net.inet.ip.intr_queue_drops: 39
fpage2.ba.best.com      net.inet.ip.intr_queue_drops: 94
fpage3.ba.best.com      net.inet.ip.intr_queue_drops: 0
commerce1.ba.best.com   net.inet.ip.intr_queue_drops: 0
commerce2.ba.best.com   net.inet.ip.intr_queue_drops: 0
commerce5.ba.best.com   net.inet.ip.intr_queue_drops: 42
dweb1.ba.best.com       net.inet.ip.intr_queue_drops: 0
dweb2.ba.best.com       net.inet.ip.intr_queue_drops: 0
dweb3.ba.best.com       net.inet.ip.intr_queue_drops: 0
proxy1.ba.best.com      net.inet.ip.intr_queue_drops: 171
proxy2.ba.best.com      net.inet.ip.intr_queue_drops: 5
proxy3.ba.best.com      net.inet.ip.intr_queue_drops: 13
proxy4.ba.best.com      net.inet.ip.intr_queue_drops: 0
lists1.best.com 	net.inet.ip.intr_queue_drops: 99
news1.best.com  	net.inet.ip.intr_queue_drops: 0
news2.best.com  	net.inet.ip.intr_queue_drops: 0
nntp1.ba.best.com       net.inet.ip.intr_queue_drops: 28
kephalos.best.net       net.inet.ip.intr_queue_drops: 0
flea.best.net	   	net.inet.ip.intr_queue_drops: 347249
dns1.ba.best.net        net.inet.ip.intr_queue_drops: 493
dns2.ba.best.net        net.inet.ip.intr_queue_drops: 2965
dns3.ba.best.net        net.inet.ip.intr_queue_drops: 66203

:>     IP on the local LAN, the ICMP replies get buffered while
:>     the machine tries to ARP the destination.
:
:We should rate-limit ARPs, but don't.

    ARP's reasonably rate-limited because most subnets are /24's, it's
    the packets queued up waiting for the ARP to resolve that are the
    problem.

:>     If not, the xmit
:>     traffic goes to the switch which starts collisioning-out packets
:>     when the router beyond the switch saturates.
:
:I'm sorry, I can't parse this.

    An etherswitch has an internal packet buffer.  If the buffer fills up the
    switch will generate a collision on packets being received to try to
    slow down the transmitters (by forcing backoff/retry) while the packet
    buffer drains.

:Then again, when you are receiving 20kpps of legitimate traffic, you
:still want to behave correctly.
:
:-GAWollman

    My patch doesn't touch legit traffic, only ICMP *error* replies that
    the machine tries to generate.

					-Matt

:--
:Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
:wollman@lcs.mit.edu  | O Siem / The fires of freedom 
:Opinions not those of| Dance in the burning flame
:MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-current" in the body of the message
:

    Matthew Dillon  Engineering, HiWay Technologies, Inc. & BEST Internet 
                    Communications & God knows what else.
    <dillon@backplane.com> (Please include original email in any response)    

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812011647.IAA07545>