linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "H.K. Jerry Chu" <hkjerry.chu@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Alexander Bergmann <alex@linlab.net>,
	David Miller <davem@davemloft.net>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1] tcp: Wrong timeout for SYN segments
Date: Wed, 29 Aug 2012 10:25:34 -0700	[thread overview]
Message-ID: <CAFbMe2PG90X7s6s970+XK3X0Jvzx4p6vhvM+JQCwtULPvs1QLw@mail.gmail.com> (raw)
In-Reply-To: <1346230305.2522.15.camel@edumazet-glaptop>

Eric,

On Wed, Aug 29, 2012 at 1:51 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Tue, 2012-08-28 at 21:34 -0700, H.K. Jerry Chu wrote:
>
>> IMHO 31secs seem a little short. Why not change it to 6 as well because 63
>> secs still beats 93secs with 3sec initRTO and 5 retries.
>>
>> Jerry
>>
>
> My rationale was that such increase were going to amplify SYN attacks
> impact by 20% (if we count number of useless SYNACK sent)

IMHO the main damage caused by SYN attack is DOS resulted from bogus
SYNs clogging the listener queue. I guess you've had numbers showing
that generating so many SYNACKs in response to bogus SYNs can be costly
too. But each bogus SYN that expires earlier will open up space sooner in the
listener queue for more bogus SYN so I'm not sure which one can induced
more damage.

Also if syn-cookie is enabled, it will dwarf the cost from
retransmitting SYN-ACK,
right?

>
> If the active side sends SYN packets for 180 seconds, do we really want
> to also send SYNACKS for additional 100 seconds ?

You have a good point. (I remember some folks in the past even question with
retransmitting SYN why SYN-ACK retransmit is necessary, other than for expedient
recovery purpose.)

But it probably matter slightly more for TCP Fast Open (the server
side patch has
been completed and will be posted soon, after I finish breaking it up
into smaller
pieces for ease of review purpose), when a full socket will be created with data
passed to the app upon a valid SYN+data. Dropping a fully functioning socket
won't be the same as dropping a request_sock unknown to the app and letting
the other side retransmitting SYN (w/o data this time).

>
> Sure, RFC numbers are what they are, but in practice, I doubt someone
> will really miss the extra SYNACK sent after ~32 seconds, since it would
> matter only for the last SYN attempted.

I'd slightly prefer 1 extra retry plus longer wait time just to make
TCP Fast Open
a little more robust (even though the app protocol is required to be
idempotent).
But this is not a showstopper.

Thanks,

Jerry

>
>
>

  reply	other threads:[~2012-08-29 17:25 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-21 23:29 [PATCH 1/1] tcp: Wrong timeout for SYN segments Alex Bergmann
2012-08-22  8:06 ` Eric Dumazet
2012-08-22  8:48   ` Alex Bergmann
2012-08-22  8:58     ` Eric Dumazet
2012-08-22  9:29       ` Alex Bergmann
2012-08-22  9:59         ` Eric Dumazet
2012-08-22 10:03           ` Eric Dumazet
2012-08-22 17:29             ` H.K. Jerry Chu
2012-08-22 16:44 ` H.K. Jerry Chu
     [not found] ` <CAFbMe2M7ekc94bQk7vTS1LhScPd49VZ-zKOCUXhqwxXtL-nkuA@mail.gmail.com>
2012-08-23 11:58   ` Alex Bergmann
2012-08-23 12:15     ` Eric Dumazet
2012-08-23 12:35       ` David Laight
2012-08-23 12:51         ` Eric Dumazet
2012-08-23 12:37       ` Alex Bergmann
2012-08-23 12:49         ` Eric Dumazet
2012-08-24 12:17           ` Alex Bergmann
2012-08-24 17:42           ` David Miller
2012-08-25  8:48             ` Alexander Bergmann
2012-08-25  9:01               ` Eric Dumazet
2012-08-28  8:44               ` Carsten Wolff
     [not found]                 ` <1346414260.2591.8.camel@edumazet-glaptop>
2012-08-31 12:48                   ` Alexander Bergmann
2012-08-31 13:25                     ` Eric Dumazet
2012-08-31 19:42                       ` David Miller
2012-08-31 19:47                         ` David Miller
2012-08-29  4:34               ` H.K. Jerry Chu
2012-08-29  8:51                 ` Eric Dumazet
2012-08-29 17:25                   ` H.K. Jerry Chu [this message]
2012-08-30 13:12                     ` Eric Dumazet
2012-08-30 16:45                       ` David Miller
2012-08-30 18:04                         ` H.K. Jerry Chu
2012-08-30 17:59                       ` H.K. Jerry Chu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAFbMe2PG90X7s6s970+XK3X0Jvzx4p6vhvM+JQCwtULPvs1QLw@mail.gmail.com \
    --to=hkjerry.chu@gmail.com \
    --cc=alex@linlab.net \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).