Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 3 Oct 2001 16:02:22 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 3 Oct 2001 16:02:13 -0400 Received: from h24-78-175-24.vn.shawcable.net ([24.78.175.24]:38529 "EHLO oof.localnet") by vger.kernel.org with ESMTP id ; Wed, 3 Oct 2001 16:02:04 -0400 Date: Wed, 3 Oct 2001 13:02:04 -0700 From: Simon Kirby To: Linus Torvalds Cc: Ben Greear , jamal , Ingo Molnar , linux-kernel@vger.kernel.org, Alexey Kuznetsov , Robert Olsson , Benjamin LaHaise , netdev@oss.sgi.com, Alan Cox Subject: Re: [announce] [patch] limiting IRQ load, irq-rewrite-2.4.11-B5 Message-ID: <20011003130203.A2315@netnation.com> In-Reply-To: <3BBB31F4.C223E12E@candelatech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 03, 2001 at 09:33:12AM -0700, Linus Torvalds wrote: > Note that the big question here is WHO CARES? > > There are two issues, and they are independent: > (a) handling of network packet flooding nicely > (b) handling screaming devices nicely. > > First off, some comments: > (a) is not a major security issue. If you allow untrusted users full > 100/1000Mbps access to your internal network, you have _other_ > security issues, like packet sniffing etc that are much much MUCH > worse. So the packet flooding thing is very much a corner case, and > claiming that we have a big problem is silly. > > HOWEVER, (a) _can_ be a performance issue under benchmark load. > Benchmarks (unlike real life) are almost always set up to have full > network bandwidth access, and can show this issue. Actually, the way I first started looking at this problem is the result of a few attacks that have happened on our network. It's not just a while(1) sendto(); UDP spamming program that triggers it -- TCP SYN floods show the problem as well, and _there is no way_ to protect against this without using syncookies or some similar method that can only be done on the receiving TCP stack only. At one point, one of our webservers received 30-40Mbit/sec of SYN packets sustained for almost 24 hours. Needless to say, the machine was not happy. Simon- [ Stormix Technologies Inc. ][ NetNation Communications Inc. ] [ sim@stormix.com ][ sim@netnation.com ] [ Opinions expressed are not necessarily those of my employers. ] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/