[Codel] hardware multiqueue in fq_codel?
Jesper Dangaard Brouer
jbrouer at redhat.com
Mon Jul 15 08:56:33 EDT 2013
On Fri, 12 Jul 2013 10:19:49 -0700
Eric Dumazet <eric.dumazet at gmail.com> wrote:
> On Fri, 2013-07-12 at 12:54 -0400, Dave Taht wrote:
>
> > My point was that same program would be just as damaging against
> > pfifo_fast.
> >
> > > Or just think of SYN flood attack.
> >
> > For which other defenses exist.
>
> If someone uses pfifo_fast, it needs no particular protection right
> now to be able to log in into his machine.
I actually like your SSH use-case better than, the high-avail heartbeat
use-case, as the HA guys should just change the qdisc by-hand, as they
(should) know what they are doing (setting up their complicated configs).
<troll>
Then I say: Not if the attacker also sets the TOS bits.
Then you say: But the TOS bits should be stripped at the border-gateway.
Then I say: But my server is at a cloud provider, thus I'm logging
remotely and the cloud provider is stripping my SSH TOS bits. Thus, its
not helping me... ;-)
You SSH use-case is more valid, but when we are under real hard
SYN DoS-attacks then all CPU are pinned down on the listen-spinlock
problem... troll running away hiding ;-)
</troll>
ps. I usually have a separate NIC on the machine for management/SSH
(using ip rule, routing tables to ensure this NIC have a seperate
default gateway).
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Sr. Network Kernel Developer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
More information about the Codel
mailing list