From: Jesper Dangaard Brouer <jbrouer@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>, Dave Taht <dave.taht@gmail.com>
Cc: codel@lists.bufferbloat.net
Subject: Re: [Codel] hardware multiqueue in fq_codel?
Date: Mon, 15 Jul 2013 14:56:33 +0200 [thread overview]
Message-ID: <20130715145633.3c10b646@redhat.com> (raw)
In-Reply-To: <1373649589.10804.34.camel@edumazet-glaptop>
On Fri, 12 Jul 2013 10:19:49 -0700
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Fri, 2013-07-12 at 12:54 -0400, Dave Taht wrote:
>
> > My point was that same program would be just as damaging against
> > pfifo_fast.
> >
> > > Or just think of SYN flood attack.
> >
> > For which other defenses exist.
>
> If someone uses pfifo_fast, it needs no particular protection right
> now to be able to log in into his machine.
I actually like your SSH use-case better than, the high-avail heartbeat
use-case, as the HA guys should just change the qdisc by-hand, as they
(should) know what they are doing (setting up their complicated configs).
<troll>
Then I say: Not if the attacker also sets the TOS bits.
Then you say: But the TOS bits should be stripped at the border-gateway.
Then I say: But my server is at a cloud provider, thus I'm logging
remotely and the cloud provider is stripping my SSH TOS bits. Thus, its
not helping me... ;-)
You SSH use-case is more valid, but when we are under real hard
SYN DoS-attacks then all CPU are pinned down on the listen-spinlock
problem... troll running away hiding ;-)
</troll>
ps. I usually have a separate NIC on the machine for management/SSH
(using ip rule, routing tables to ensure this NIC have a seperate
default gateway).
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Sr. Network Kernel Developer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
next prev parent reply other threads:[~2013-07-15 12:56 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-11 17:09 Dave Taht
2013-07-11 17:44 ` Eric Dumazet
2013-07-11 18:06 ` Dave Taht
2013-07-11 18:54 ` Eric Dumazet
2013-07-11 21:18 ` Dave Taht
2013-07-12 0:06 ` Eric Dumazet
2013-07-12 0:48 ` Dave Taht
2013-07-12 9:34 ` Jesper Dangaard Brouer
2013-07-12 15:13 ` Eric Dumazet
2013-07-12 16:36 ` Sebastian Moeller
2013-07-12 16:54 ` Eric Dumazet
2013-07-12 17:00 ` Dave Taht
2013-07-15 13:40 ` Jesper Dangaard Brouer
2013-07-15 13:57 ` Eric Dumazet
2013-07-15 14:24 ` Jesper Dangaard Brouer
2013-07-15 15:30 ` Eric Dumazet
2013-07-15 17:19 ` Dave Taht
2013-07-12 16:37 ` Dave Taht
2013-07-12 16:39 ` Dave Taht
2013-07-12 16:50 ` Eric Dumazet
2013-07-12 16:54 ` Dave Taht
2013-07-12 17:19 ` Eric Dumazet
2013-07-12 17:35 ` Dave Taht
2013-07-12 17:47 ` Eric Dumazet
2013-07-12 18:06 ` Dave Taht
2013-07-15 12:56 ` Jesper Dangaard Brouer [this message]
2013-07-12 17:32 ` luca.muscariello
2013-07-11 19:41 ` Jonathan Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/codel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130715145633.3c10b646@redhat.com \
--to=jbrouer@redhat.com \
--cc=codel@lists.bufferbloat.net \
--cc=dave.taht@gmail.com \
--cc=eric.dumazet@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox