You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Ian Kinch <ia...@gmail.com> on 2013/05/15 04:31:55 UTC
Modification TCP stack
Hi guys, i have some questions.
- can i modification TCP stack?
- is there way to involve syncookie in apache?
--
==============
*Regrads, *
*Ian Febrian Reza M Yulianto*
Re: Modification TCP stack
Posted by Ian Kinch <ia...@gmail.com>.
Oh i see, thank you for your explanation.
On Wed, May 15, 2013 at 9:22 PM, Reindl Harald <h....@thelounge.net>wrote:
>
>
> Am 15.05.2013 16:16, schrieb Ian Kinch:
> > So, you said that it is impossible, right?
>
> no, i said it makes no sense
>
> the kernel itself has the capabilities for syncookies
> and there is zero reason to bother the application
> layer with this, that is the same as ratecontrols
> belong in the iptables-layer and not in the attacked
> application
>
> * put "net.ipv4.tcp_syncookies = 1" in your sysctl.conf
> * type "sysctl -p"
>
> > On Wed, May 15, 2013 at 9:15 PM, Reindl Harald <h.reindl@thelounge.net<mailto:
> h.reindl@thelounge.net>> wrote:
> >
> >
> > Am 15.05.2013 15:46, schrieb Ian Kinch:
> > > i want to make a little modification in TCP stack. Instead reply
> SYN+ACK, apache will send SYNCOOKIE.
> > > i am trying to built a anti-DDoS that mimic a flash crowd.
> > > Sorry, if my question is little bit confusing, my english is not
> that good
> >
> > this does not belong in the daemon itself!
> >
> > [root@srv-rhsoft:~]$ sysctl net.ipv4.tcp_syncookies
> > net.ipv4.tcp_syncookies = 1
>
>
--
==============
*Regrads, *
*Ian Febrian Reza M Yulianto*
Re: Modification TCP stack
Posted by Reindl Harald <h....@thelounge.net>.
Am 15.05.2013 16:16, schrieb Ian Kinch:
> So, you said that it is impossible, right?
no, i said it makes no sense
the kernel itself has the capabilities for syncookies
and there is zero reason to bother the application
layer with this, that is the same as ratecontrols
belong in the iptables-layer and not in the attacked
application
* put "net.ipv4.tcp_syncookies = 1" in your sysctl.conf
* type "sysctl -p"
> On Wed, May 15, 2013 at 9:15 PM, Reindl Harald <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>
>
> Am 15.05.2013 15:46, schrieb Ian Kinch:
> > i want to make a little modification in TCP stack. Instead reply SYN+ACK, apache will send SYNCOOKIE.
> > i am trying to built a anti-DDoS that mimic a flash crowd.
> > Sorry, if my question is little bit confusing, my english is not that good
>
> this does not belong in the daemon itself!
>
> [root@srv-rhsoft:~]$ sysctl net.ipv4.tcp_syncookies
> net.ipv4.tcp_syncookies = 1
Re: Modification TCP stack
Posted by Ian Kinch <ia...@gmail.com>.
So, you said that it is impossible, right?
On Wed, May 15, 2013 at 9:15 PM, Reindl Harald <h....@thelounge.net>wrote:
>
> Am 15.05.2013 15:46, schrieb Ian Kinch:
> > i want to make a little modification in TCP stack. Instead reply
> SYN+ACK, apache will send SYNCOOKIE.
> > i am trying to built a anti-DDoS that mimic a flash crowd.
> > Sorry, if my question is little bit confusing, my english is not that
> good
>
> this does not belong in the daemon itself!
>
> [root@srv-rhsoft:~]$ sysctl net.ipv4.tcp_syncookies
> net.ipv4.tcp_syncookies = 1
>
>
>
>
--
==============
*Regrads, *
*Ian Febrian Reza M Yulianto*
Re: Modification TCP stack
Posted by Reindl Harald <h....@thelounge.net>.
Am 15.05.2013 15:46, schrieb Ian Kinch:
> i want to make a little modification in TCP stack. Instead reply SYN+ACK, apache will send SYNCOOKIE.
> i am trying to built a anti-DDoS that mimic a flash crowd.
> Sorry, if my question is little bit confusing, my english is not that good
this does not belong in the daemon itself!
[root@srv-rhsoft:~]$ sysctl net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1
Re: Modification TCP stack
Posted by Ian Kinch <ia...@gmail.com>.
i want to make a little modification in TCP stack. Instead reply SYN+ACK,
apache will send SYNCOOKIE.
i am trying to built a anti-DDoS that mimic a flash crowd.
Sorry, if my question is little bit confusing, my english is not that good.
On Wed, May 15, 2013 at 2:52 PM, Gary Law <ga...@garylaw.net> wrote:
> There's an interesting article here on bypassing TCP stack/kernel:-
>
>
> http://highscalability.com/blog/2013/5/13/the-secret-to-10-million-concurrent-connections-the-kernel-i.html
>
> Enjoy
>
> Gary
>
>
>
--
==============
*Regrads, *
*Ian Febrian Reza M Yulianto*
Re: Modification TCP stack
Posted by Gary Law <ga...@garylaw.net>.
There's an interesting article here on bypassing TCP stack/kernel:-
http://highscalability.com/blog/2013/5/13/the-secret-to-10-million-concurrent-connections-the-kernel-i.html
Enjoy
Gary
Re: Modification TCP stack
Posted by Igor Galić <i....@brainsware.org>.
answers inline
----- Original Message -----
> Hi guys, i have some questions.
> - can i modification TCP stack?
as far as the underlying kernel allows us to and it makes sense to do so, we do that. One prominent example would be
https://issues.apache.org/jira/browse/TS-940
which I just realized could use some documentation.
> - is there way to involve syncookie in apache?
in what way?
> --
> ==============
> Regrads,
> Ian Febrian Reza M Yulianto
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE