On Wed, Oct 03, 2001 at 09:33:12AM -0700, Linus Torvalds wrote:
> Note that the big question here is WHO CARES?
> There are two issues, and they are independent:
> (a) handling of network packet flooding nicely
> (b) handling screaming devices nicely.
> First off, some comments:
> (a) is not a major security issue. If you allow untrusted users full
> 100/1000Mbps access to your internal network, you have _other_
> security issues, like packet sniffing etc that are much much MUCH
> worse. So the packet flooding thing is very much a corner case, and
> claiming that we have a big problem is silly.
> HOWEVER, (a) _can_ be a performance issue under benchmark load.
> Benchmarks (unlike real life) are almost always set up to have full
> network bandwidth access, and can show this issue.
Actually, the way I first started looking at this problem is the result
of a few attacks that have happened on our network. It's not just a
while(1) sendto(); UDP spamming program that triggers it -- TCP SYN
floods show the problem as well, and _there is no way_ to protect against
this without using syncookies or some similar method that can only be
done on the receiving TCP stack only.
At one point, one of our webservers received 30-40Mbit/sec of SYN packets
sustained for almost 24 hours. Needless to say, the machine was not
[ Stormix Technologies Inc. ][ NetNation Communications Inc. ]
[ sim@xxxxxxxxxxx ][ sim@xxxxxxxxxxxxx ]
[ Opinions expressed are not necessarily those of my employers. ]