SYN flooding -- drop policies
Mike O'Dell suggested using drop oldest in some situations. Unfortunately it is about as good as RED if source of good SYNs is deterministic and is *much* worse then RED if it is bursty. Assuming that source of bad SYNs is deterministic as well as server, and good SYNs come as Poisson process chances of good SYN survival with RED are about 1-e^-1 times better than with Drop Oldest. With self-similar SYN inter-arrival pattern (there are some indications that it's like that) the advantage of RED is even bigger. I didn't do any serious research on that, so the result is of "back of envelope" kind, but it does make some intuitive sense. It should also be observed that tail-drop at customer access gateway would reduce usefulness of RED (or Drop Oldest), particularly when flood rate comes closer to link capacity. The question of what max. queue length is the best remains pretty much open; as well as how it interacts with back-off SYN retransmissions. --vadim
Vadim Antonov writes:
Mike O'Dell suggested using drop oldest in some situations.
Unfortunately it is about as good as RED if source of good SYNs is deterministic and is *much* worse then RED if it is bursty.
Not really true untill traffic levels become very high. You have to keep in mind that legitimate half open connections very fast (with a couple of RTTs at most) become fully open connections, whereas the illegitimate connections tend to hang out for the full 75 seconds. Drop oldest in most cases is equivalent to cutting back the maximum timeout, which in practice drops only the illegitimate entries in the queue. Random drop becomes useful with the characteristics of connections being dropped and connections being kept start becoming similar -- that is, when the queue fills in less than an RTT or two. At that point, RED like algorithms start to shine.
The question of what max. queue length is the best remains pretty much open; as well as how it interacts with back-off SYN retransmissions.
The new Borman code for 4.4lite2 allows you to accomodate a queue with tens of thousands of half open connections with comparitively little memory used. I think its a reasonable approach, modulo the fact that it actually doesn't allow strict oldest drop. Perry
participants (2)
-
Perry E. Metzger -
Vadim Antonov