We recently had a server come under attack. Some script monkeys
started generating a bunch of pings and SYNs from a huge variety of
spoofed addresses (mostly in 43.0.0.0/8 and 44.0.0.0/8, for those that
are interested).
There were so many forged packets that the destination cache began to
overflow hundreds or thousands of times per second ("kernel: dst cache
overflow"). This had a huge negative impact on server performance.
Adjusting net/ipv4/route/(max_size|gc_interval) or flushing the route
cache manually on a regular basis seemed to have little or no
measurable impact on the problem. While IDS and manual filtering at
the firewall eventually resolved the problem, how do we protect
ourselves against this sort of attack in the future? Can the route
cache be disabled? The overflow path made less catastrophic?
TIA,
-- Patrick Michael Kane <modus-linux-kernel@pr.es.to> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Feb 28 2003 - 22:00:43 EST