[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: Seperate queues for pending and established connections.



Hi,

"Ramesh.S" wrote:
> yes there is seperate queues for established and pending connections..
> but i want to know what is ur exact problem is.. since u r giving the
> maximum number of connections in the
> listen call of ur server program .. ur SYN flood wont cause any
> probs.. coz when the establish connection is closed there can be a
> entry from pending to establlished.. at that time u can be given a SYN
> to enter ur pending que.....
> 

Thanks Ramesh for the interest. Actually, I am still not convinced that
the separation of the two queues had any direct security implications
(good/bad). Even with the two separate queues, wouldn't genuine clients
still have to contend with the SYN flood for space in the pending queue?
In fact, we can always 'imagine' the established sockets to belong to a
new separate queue; things effectively (apparently) don't change. I
guessed two ways in which splitting the queue into two actually helps -
1. it makes the queues 'cleaner'. Eg., in order to survive a SYN flood,
if you increase the queue size, there would be some performance drop in 
searching for established connections. 
2. And as in 1, it helps in applying (efficiently) the random/tail-drop
algorithms that actually directly (try to) survive the SYN-flood. (fyi,
these algorithms drop random/tail/head pending connections in an attempt
to probabilistically guarantee a connection to genuine clients.)

Let me know if these sound reasonable.

Another question, is their a site which documents major kernel changes
(with say an explanation of why the change was necessary) especially for
the networking part? It is an ugly waste of time to try to figure out
why a particular change was made. For example, right now I am looking
for a peer review of a problem already solved in history.

Thanks and bye,
Vinay.

-- 
-----------------------------------------------------------------------
Mr. Mahadik, Vinay A.
Graduate Student - Electrical & Computer Engineering Department, NCSU.
Major - Computer Network Engineering.

Home	: 1701/1 Crest Rd., Raleigh, NC 27606 (919)8388325
Office	: Suite 2300, Research IV, Centennial Campus, NCSU (919)5159677
Email	: vamahadi@xxxxxxxxxxxx
URL	: http://hickory.csc.ncsu.edu/
-----------------------------------------------------------------------