> > Our patch can be used along with SYN policing to prioritize incoming
> > connection requests on a socket. SYN policing can be used to limit
> > the rate of a particular class, but it cannot be used to prioritize a
>
> No. Because you cant prove the packets are not spoofed. An attacker
> becomes able to block classes
Their idea is feedback from prioritized accept queue to syn-table.
SYN floods just have no effect on this algoruthm.
They do really clever thing. Look at the case with single queue:
when apache is overloaded, accept queue grows. After some point
it becomes meaningless to queue new SYNs, they will only clog
syn-table, but we will not able to accept them in time.
because we will not have any connection ready, when apache overcomes
its troubles. I have thought on this, but without big success.
Typical accept latency is local and low, and typical syn-table latency
is rtt. The processes of establishing and accepting work at different
time scales and it is not quite trivial to get some useful smooth feedback
from high frequency accept queue to low frequency syn-table.
It is exactly the place where RED-like schemes should work well, by the way,
but I did not try this unfortunately. Trying instead to get feedback from
rate of SYNs, which was deemed to fail.
Actually, 2.4 does some trick of this kind in the most primitive form.
If their approach is really working, it can be extremally useful.
Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/