Re: the TCP MSS resource exhaustion commit

From: Bernd Walter <ticso_at_cicely12.cicely.de>
Date: Fri, 9 Jan 2004 16:06:26 +0100
On Fri, Jan 09, 2004 at 03:23:53PM +0100, Andre Oppermann wrote:
> Thorsten Greiner wrote:
> > 
> > * Andre Oppermann <andre_at_freebsd.org> [2004-01-09 11:34]:
> > > You can simply increase net.inet.tcp.minmssoverload to any
> > > higher value.  I suggest 2,000 as next step.  If set it to
> > > 0 the check will be disabled entirely.
> > 
> > Setting net.inet.tcp.minmssoverload to 4000 fixed my problem(s).
> 
> Ok, that's an important information.
> 
> > > This makes we wonder why the Oracle database server is sending
> > > so many small packets.  Is your JBoss application doing connection
> > > pooling (eg. multiplexing multiple SQL sessions over one tcp
> > > session)?
> > 
> > It performs connection pooling on the application layer, i.e. it
> > opens several connections and pools them to avoid reopening them. As
> > far as I understand each Oracle connection is associated with a TCP
> > connection - there is no pooling on the TCP level.
> 
> Ok.  Might it be that Oracle is setting the TCP_NODELAY option on
> its sending socket?  I guess it is difficult to find that out...
> 
> > While I have read your commit message thoroughly I am not sure I
> > have understood the consequences of the new mechanism. Will the
> > exchange of many small packets trigger a connection drop?
> 
> Yes.  Once you receive more than 1,000 tcp packets per second whose
> average size is below the net.inet.tcp.minmss value, then it will
> assume a malicious DoS attack.  It appears that the default value
> of 1,000 is too low.

What about ACKs from a simple TCP device such as a microcontroller?
Or slip connects with MTU of 300?
Many smaller controllers don't have enough RAM to do delayed acks
or run at MTU 1500.
Even a hand full public webservers are running on such systems!
I'm a bit worried about having such a feature enabled by default to
break TCP communication with specialised hardware.

-- 
B.Walter                   BWCT                http://www.bwct.de
ticso_at_bwct.de                                  info_at_bwct.de
Received on Fri Jan 09 2004 - 06:06:44 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:37 UTC