In the last episode (Jan 09), Andre Oppermann said: > Bernd Walter wrote: > > On Fri, Jan 09, 2004 at 03:23:53PM +0100, Andre Oppermann wrote: > > > Thorsten Greiner wrote: > > > > While I have read your commit message thoroughly I am not sure > > > > I have understood the consequences of the new mechanism. Will > > > > the exchange of many small packets trigger a connection drop? > > > > > > Yes. Once you receive more than 1,000 tcp packets per second > > > whose average size is below the net.inet.tcp.minmss value, then > > > it will assume a malicious DoS attack. It appears that the > > > default value of 1,000 is too low. > > The detection logic only applies to TCP packets containing payload, > not to ACKs or anything else. The Oracle case was probably triggered by the ping-ponging effect that running many small queries causes. People running MySQL as a backend for webservers will probably trigger the same thing. You should probably also ignore any connections originating from local networks, ignore any connections where TCP_NODELAY is set (which will cover the ssh case), and ignore packets where the reply has data in it (which will cover Oracle, MySQL, xmlrpc, NFS, NIS, and any other request-reply protocol with small packets). -- Dan Nelson dnelson_at_allantgroup.comReceived on Fri Jan 09 2004 - 07:08:23 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:37 UTC