Hi
One task like a httpd or named , during a ddos attack has your size in
memory increased ?
att,
Breno
On Sat, Oct 11, 2003 at 07:34:28PM -0300, Breno wrote:
^^^^^^^^^^^^^^^^^
Sorry, but could you PLEASE fix the date on your workstation? :(
--
Joshua Kwan
Joshua Kwan wrote:
> On Sat, Oct 11, 2003 at 07:34:28PM -0300, Breno wrote:
> ^^^^^^^^^^^^^^^^^
>
> Sorry, but could you PLEASE fix the date on your workstation? :(
>
I concur, for months his clocked has been skewed
in different directions, Mozilla sorting by date
hates you Breno.
-sb
Sorry Stan , but i connect from many machines.
My servers are in ddos attack , what i?d like to know is about size of tasks
in memory during this kind of attack. I have some ideas to do in my kernel.
Someonde can talk about this situation ?
thanks
Breno
----- Original Message -----
From: "Stan Bubrouski" <[email protected]>
To: "Joshua Kwan" <[email protected]>
Cc: "Breno" <[email protected]>; "linux-kernel mailing list"
<[email protected]>
Sent: Wednesday, September 10, 2003 11:10 PM
Subject: Re: [OT] Re: Size of Tasks during ddos
> Joshua Kwan wrote:
>
> > On Sat, Oct 11, 2003 at 07:34:28PM -0300, Breno wrote:
> > ^^^^^^^^^^^^^^^^^
> >
> > Sorry, but could you PLEASE fix the date on your workstation? :(
> >
>
> I concur, for months his clocked has been skewed
> in different directions, Mozilla sorting by date
> hates you Breno.
>
> -sb
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
On Thu, 11 Sep 2003 09:33:41 -0300, Breno Silva said:
> My servers are in ddos attack , what i?d like to know is about size of tasks
> in memory during this kind of attack. I have some ideas to do in my kernel.
The answer will differ depending whether (for example) you're being ICMP
flooded, SYN-flooded, hit with a mass of HTTP 'GET /' commands, hit with a mass
of HTTP commands that invoke a resource-intensive CGI like a database search,
and so on.
We'd really need to know what the traffic involved in the DDoS is in order to
be able to comment on memory usage.
This is a Syn Flood DDoS
att
Breno
----- Original Message -----
From: <[email protected]>
To: "Breno Silva" <[email protected]>
Cc: "Stan Bubrouski" <[email protected]>; <[email protected]>
Sent: Thursday, September 11, 2003 11:19 AM
Subject: Re: Size of Tasks during ddos
On Thu, Sep 11, 2003 at 10:19:37AM -0400, [email protected] wrote:
> The answer will differ depending whether (for example) you're being ICMP
> flooded, SYN-flooded, hit with a mass of HTTP 'GET /' commands, hit with a mass
> of HTTP commands that invoke a resource-intensive CGI like a database search,
> and so on.
>
> We'd really need to know what the traffic involved in the DDoS is in order to
> be able to comment on memory usage.
True, but it's not a ddos unless they do everything they can to disable the
target system. Sure they could just flood your net pipe, but why do that
when you could have fewer senders and completely kill the box for a long
time while it tries to process all of your requests (assuming you're running
services accessable from the net).
On Iau, 2003-09-11 at 18:27, Breno wrote:
> This is a Syn Flood DDoS
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
End of problem.
On Iau, 2003-09-11 at 22:23, Mike Fedyk wrote:
> On Thu, Sep 11, 2003 at 07:41:10PM +0100, Alan Cox wrote:
> > On Iau, 2003-09-11 at 18:27, Breno wrote:
> > > This is a Syn Flood DDoS
> >
> > echo "1" >/proc/sys/net/ipv4/tcp_syncookies
> >
> > End of problem.
>
> And why isn't this on by default when it's compiled in?
Syncookies protect you from DoS stuff but they have other side
effects on efficiency when they are in use.
On Thu, Sep 11, 2003 at 07:41:10PM +0100, Alan Cox wrote:
> On Iau, 2003-09-11 at 18:27, Breno wrote:
> > This is a Syn Flood DDoS
>
> echo "1" >/proc/sys/net/ipv4/tcp_syncookies
>
> End of problem.
And why isn't this on by default when it's compiled in?
On Thu, Sep 11, 2003 at 10:26:19PM +0100, Alan Cox wrote:
> On Iau, 2003-09-11 at 22:23, Mike Fedyk wrote:
> > On Thu, Sep 11, 2003 at 07:41:10PM +0100, Alan Cox wrote:
> > > On Iau, 2003-09-11 at 18:27, Breno wrote:
> > > > This is a Syn Flood DDoS
> > >
> > > echo "1" >/proc/sys/net/ipv4/tcp_syncookies
> > >
> > > End of problem.
> >
> > And why isn't this on by default when it's compiled in?
>
> Syncookies protect you from DoS stuff but they have other side
> effects on efficiency when they are in use.
Care to point me to a thread in the archives? I'd like to read more about
this.
On Iau, 2003-09-11 at 22:30, Mike Fedyk wrote:
> > Syncookies protect you from DoS stuff but they have other side
> > effects on efficiency when they are in use.
>
> Care to point me to a thread in the archives? I'd like to read more about
> this.
Not sure offhand where the thread is. The quick summary is
Syn cookies accept the SYN frame and encode sufficient information into
the reply that they can avoid storing any data until the next packet
arrives from the other end completing the connection.
That means squashing all the information we track (mss, window, etc)
into very few bits. A modern TCP will offer large windows, selective ack
and other features which we can't fit into a syn cookie so with this off
a burst of traffic will cause pauses while the socket queue clears and
negotiate fully featured TCP, with syncookies enabled many of the
connections on the burst will not have the extra features so many not
perform as well.
On Thu, 2003-09-11 at 23:23, Mike Fedyk wrote:
> On Thu, Sep 11, 2003 at 07:41:10PM +0100, Alan Cox wrote:
>
> And why isn't this on by default when it's compiled in?
there's several reasons; one of them is a bit cheap: a webserver
benchmark done by a journalist looks a lot like a DoS in this respect ;)
Suppose that one task during a ddos receive much data , so it can try to
alloc much memory to control this data, or to control the list of sockets in
listen state.
att
Breno
----- Original Message -----
From: "Alan Cox" <[email protected]>
To: "Breno" <[email protected]>
Sent: Thursday, September 11, 2003 5:40 PM
Subject: Re: Size of Tasks during ddos
On Iau, 2003-09-11 at 20:54, Breno wrote:
> Alan
>
> This is not the point. I´d like to know about size of tasks in memory .
What does a synflood attack have to do with that. There is no reason
they should change
On Sad, 2003-10-11 at 23:09, Breno wrote:
> Suppose that one task during a ddos receive much data , so it can try to
> alloc much memory to control this data, or to control the list of sockets in
> listen state.
Syncookies dont allocate memory until the connection finishes the 3 way
handshake with the other side
Alan Cox <[email protected]> writes:
> Syn cookies accept the SYN frame and encode sufficient information into
> the reply that they can avoid storing any data until the next packet
> arrives from the other end completing the connection.
>
> That means squashing all the information we track (mss, window, etc)
> into very few bits. A modern TCP will offer large windows, selective ack
> and other features which we can't fit into a syn cookie so with this off
> a burst of traffic will cause pauses while the socket queue clears and
> negotiate fully featured TCP, with syncookies enabled many of the
> connections on the burst will not have the extra features so many not
> perform as well.
Another side effect of syncookies is that flow control for new
connections breaks: when you have a client that is connecting to a
overloaded server it will only notice this after a long timeout. With
syncookies off you get actually useful errnos back on connect().
(overloaded here doesn't necessarily mean DoS, just e.g. a single threaded
service that is taking a long time to do some job and expresses this
with a small argument to listen())
-Andi
On Sunday 12 October 2003 01:09, Breno wrote:
> Suppose that one task during a ddos receive much data , so it can try to
> alloc much memory to control this data, or to control the list of sockets
> in listen state.
Hi Breno,
Can you please fix your clock? Thanks
--
vda
On Fri, Sep 12, 2003 at 06:36:01PM +0300, insecure wrote:
> On Sunday 12 October 2003 01:09, Breno wrote:
> > Suppose that one task during a ddos receive much data , so it can try to
> > alloc much memory to control this data, or to control the list of sockets
> > in listen state.
>
> Hi Breno,
>
> Can you please fix your clock? Thanks
Sorting by received date is your friend. ;) If kmail doesn't have that,
please file a bug report.
Breno, and ntp is your friend. :-D
In article <[email protected]>,
Joshua Kwan <[email protected]> wrote:
|
| On Sat, Oct 11, 2003 at 07:34:28PM -0300, Breno wrote:
| ^^^^^^^^^^^^^^^^^
|
| Sorry, but could you PLEASE fix the date on your workstation? :(
His date is perfectly fine, he just needs to fix the time zone ;-)
--
bill davidsen <[email protected]>
CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.