You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hawq.apache.org by Ruilong Huo <rh...@pivotal.io> on 2016/12/11 00:38:54 UTC

Turning off DoS protection in hawq

Hi hawq community,

Anyone know that why we turn off DoS protection in hawq by setting
net.ipv4.tcp_syncookies to off in /etc/sysctl.conf? Any other reason from
hawq perspective other than below two more from operating system
perspective?

1) increase the number of concurrent tcp clients

2) reduce cpu overhead for creating and processing the syncookies. Though
the overhead is tiny

BTW: HAWQ turn off DoS protection
<http://hdb.docs.pivotal.io/210/hdb/install/install-cli.html> while
Greenplum Database enable DoS protection
<http://gpdb.docs.pivotal.io/4320/install_guide/prep_os_install_gpdb.html> by
default.

Best regards,
Ruilong Huo

Re: Turning off DoS protection in hawq

Posted by Paul Guo <pa...@gmail.com>.

By the way, just checked the doc. At least there is no need to set the
kernel tunable below
since the default value is that.

net.ipv4.ip_forward = 0



2016-12-11 20:13 GMT+08:00 Ruilong Huo <rh...@pivotal.io>:

> Thanks Zhanwei for the clarification.
>
> It is worthwhile to understand the highest tcp connection frequency that
> would cause OS consider the connection as DoS.
> We can then evaluate at which degree of concurrency (partitioned tables,
> column storage, etc) in hawq would cause that problem.
>
> BTW, here is some detail mechanism of protecting DoS with sync cookies:
> http://security.stackexchange.com/questions/20904/using-syn-
> cookies-to-perform-a-dos-attack
> .
>
> Best regards,
> Ruilong Huo
>
> On Sun, Dec 11, 2016 at 10:09 AM, Zhanwei Wang <wa...@apache.org> wrote:
>
> > HI Ruilong
> >
> >
> > According the pervious stress test, under very high workload, OS will
> > consider the connection from HAWQ to HDFS as Dos and reject the connect
> > request and then HAWQ query will fail.
> >
> > After disabling CO table in HAWQ, we have significantly reduced the file
> > write workload, I think it is time to reconsider this OS setting.
> >
> >
> >
> > Best Regards
> >
> > Zhanwei Wang
> > wangzw@apache.org
> >
> >
> >
> > > 在 2016年12月11日，上午8:38，Ruilong Huo <rh...@pivotal.io> 写道：
> > >
> > > Hi hawq community,
> > >
> > > Anyone know that why we turn off DoS protection in hawq by setting
> > > net.ipv4.tcp_syncookies to off in /etc/sysctl.conf? Any other reason
> from
> > > hawq perspective other than below two more from operating system
> > > perspective?
> > >
> > > 1) increase the number of concurrent tcp clients
> > >
> > > 2) reduce cpu overhead for creating and processing the syncookies.
> Though
> > > the overhead is tiny
> > >
> > > BTW: HAWQ turn off DoS protection
> > > <http://hdb.docs.pivotal.io/210/hdb/install/install-cli.html> while
> > > Greenplum Database enable DoS protection
> > > <http://gpdb.docs.pivotal.io/4320/install_guide/prep_os_
> > install_gpdb.html> by
> > > default.
> > >
> > > Best regards,
> > > Ruilong Huo
> >
> >
>

Re: Turning off DoS protection in hawq

Posted by Ruilong Huo <rh...@pivotal.io>.

Thanks Zhanwei for the clarification.

It is worthwhile to understand the highest tcp connection frequency that
would cause OS consider the connection as DoS.
We can then evaluate at which degree of concurrency (partitioned tables,
column storage, etc) in hawq would cause that problem.

BTW, here is some detail mechanism of protecting DoS with sync cookies:
http://security.stackexchange.com/questions/20904/using-syn-cookies-to-perform-a-dos-attack
.

Best regards,
Ruilong Huo

On Sun, Dec 11, 2016 at 10:09 AM, Zhanwei Wang <wa...@apache.org> wrote:

> HI Ruilong
>
>
> According the pervious stress test, under very high workload, OS will
> consider the connection from HAWQ to HDFS as Dos and reject the connect
> request and then HAWQ query will fail.
>
> After disabling CO table in HAWQ, we have significantly reduced the file
> write workload, I think it is time to reconsider this OS setting.
>
>
>
> Best Regards
>
> Zhanwei Wang
> wangzw@apache.org
>
>
>
> > 在 2016年12月11日，上午8:38，Ruilong Huo <rh...@pivotal.io> 写道：
> >
> > Hi hawq community,
> >
> > Anyone know that why we turn off DoS protection in hawq by setting
> > net.ipv4.tcp_syncookies to off in /etc/sysctl.conf? Any other reason from
> > hawq perspective other than below two more from operating system
> > perspective?
> >
> > 1) increase the number of concurrent tcp clients
> >
> > 2) reduce cpu overhead for creating and processing the syncookies. Though
> > the overhead is tiny
> >
> > BTW: HAWQ turn off DoS protection
> > <http://hdb.docs.pivotal.io/210/hdb/install/install-cli.html> while
> > Greenplum Database enable DoS protection
> > <http://gpdb.docs.pivotal.io/4320/install_guide/prep_os_
> install_gpdb.html> by
> > default.
> >
> > Best regards,
> > Ruilong Huo
>
>

Re: Turning off DoS protection in hawq

Posted by Zhanwei Wang <wa...@apache.org>.

HI Ruilong


According the pervious stress test, under very high workload, OS will consider the connection from HAWQ to HDFS as Dos and reject the connect request and then HAWQ query will fail.

After disabling CO table in HAWQ, we have significantly reduced the file write workload, I think it is time to reconsider this OS setting.



Best Regards

Zhanwei Wang
wangzw@apache.org



> 在 2016年12月11日，上午8:38，Ruilong Huo <rh...@pivotal.io> 写道：
> 
> Hi hawq community,
> 
> Anyone know that why we turn off DoS protection in hawq by setting
> net.ipv4.tcp_syncookies to off in /etc/sysctl.conf? Any other reason from
> hawq perspective other than below two more from operating system
> perspective?
> 
> 1) increase the number of concurrent tcp clients
> 
> 2) reduce cpu overhead for creating and processing the syncookies. Though
> the overhead is tiny
> 
> BTW: HAWQ turn off DoS protection
> <http://hdb.docs.pivotal.io/210/hdb/install/install-cli.html> while
> Greenplum Database enable DoS protection
> <http://gpdb.docs.pivotal.io/4320/install_guide/prep_os_install_gpdb.html> by
> default.
> 
> Best regards,
> Ruilong Huo