New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Linux 6.18 Will Be A Big Improvement For Servers Encountering DDoS Attacks
itsTomHarper
Member, Megathread Squad
in News
A set of patches merged via the networking pull request for the Linux 6.18 will help servers better cope with distributed denial of service "DDoS" attacks. Thanks to a Google engineer there are some significant optimizations found in the Linux 6.18 kernel code for more efficiently handling of UDP receive performance under stress, such as in DDoS scenarios.
More at:
https://www.phoronix.com/news/Linux-6.18-DDoS-Improvement
Thanked by 10shallownorthdakota JohnnySac sh97 WyvernCo TimboJones hostal nick_ mrTom Porlam borkedascii
This discussion has been closed.
Comments
Death to Cloudflare.
They (phoronix) force a "accept or go through our cumbersome 'choices'" game on their readers (or more precisely victims), hence -> /ignored, not read.
Maybe OP can offer us more thant a link and a quick copy_and_paste, aka useful (i.e. not just their blurb) summary.
YYYEEESS!!!
Cloudflare MitM's soo many sites (including this forum), allegedly has some censorship issues, also stops everyone from creating their own search engine (blocking bots)
Their CAPTCHA is very slow and wastes a lot of user time!
All bots are welcome on my website, which does not use CF
Yeah here's the full article:
@jsg and just for you because i know you cant read an article that long, i asked AI to summarize it for you:
• Refusing to click links and demanding others do it is entitled asshole behavior
• You're treating people like unpaid assistants, which is disrespectful
• You waste more time waiting for answers than clicking would take
• Your fingers, eyes, and brain work, probably, use them like a functional adult
• Click your own links and stop being lazy
Whether someone like you considers me asshole isn't relevant to me, if anything I take it as a compliment. So, thank you!
So, forcing visitors to play their game and to one way or another accept their rules is O.K. for you? Well then click "accept" and enjoy. I'll not even call you "asshole".
what are you guys even arguing about
he must be on some jank fuckass vpn ... I've never gotten any kind of challenge reading articles on phoronix ... not domestically, not even rawdoggin' shithole resort wifi in mexico... ublock origin helps, maybe - but then again, I'm usually on a phone so, who knows... this place is still a cesspool, lol
Good morning!
Strange...took me right to the article.
The guts of the article are copy/pasted below. Or look at this archive.ph I created just now: https://archive.ph/6XkuA
But even with a nearly 50% improvement in handling UDP traffic...a single server cannot cope with a DDoS. This just requires a larger DDoS than before. Which isn't a bad thing by any means, but this is not the end of DDoS protection needs.
Article:
"This series is the result of careful analysis of UDP stack, to optimize the receive side, especially when under one or several UDP sockets are receiving a DDOS attack.
I have measured a 47 % increase of throughput when using IPv6 UDP packets with 120 bytes of payload, under DDOS.
16 cpus are receiving traffic targeting a single socket.
Even after adding NUMA aware drop counters, we were suffering from false sharing between packet producers and the consumer.
1) First four patches are shrinking struct ipv6_pinfo size and reorganize fields to get more efficient TX path. They should also benefit TCP, by removing one cache line miss.
2) patches 5 & 6 changes how sk->sk_rmem_alloc is read and updated. They reduce reduce spinlock contention on the busylock.
3) Patches 7 & 8 change the ordering of sk_backlog (including sk_rmem_alloc) sk_receive_queue and sk_drop_counters for better data locality.
4) Patch 9 removes the hashed array of spinlocks in favor of a per-udp-socket one.
5) Final patch adopts skb_attempt_defer_free(), after TCP got good results with it."
This isn’t a cure-all for every DDoS attack. If your network link or hardware (the uplink, internet channel, or NIC) is fully saturated, kernel-level optimizations can’t eliminate the physical congestion. Large-scale attacks still require additional network-side measures such as filtering, rate limiting, or traffic scrubbing by your provider.
Arseholes vs assholes.
Something fixed, something else broken. Normal daily kernel surprises.
This also means, that the kernel is capable of sending outgoing floods better. Attackers benefit just as much.
A lot of people are going to see the headline and mistakenly think this will make a difference to their server during a DDoS attack...
It may help some providers who use linux for light scrubbing on nodes with huge connections, but serious scrubbing is done upstream and usually bypasses the kernel entirely.
It's not going to make your 1Gbps server be magically boosted to 1.47Gbps during a DDoS attack.
Just one period is sufficient. Three periods is doing it wrong.
you seem like the type of guy who beats the shit out of his wife after taking tylenol ...
Probably limited by the pipe size already. Meaning, if they could saturate a gigabit link already, this just reduces CPU usage to send same amount of traffic.
Wife beaters are known for basic grammar standards? If you say so. You must live in an extremely low IQ area.
You seem like the kind of uneducated red neck douche wearing a wife beater t-shirt while making that nonsensical statement.
whatever you say fuckface ... weird that you're so bored that you somehow get ragebaited by dots ... strange that some rando's grammar on the internet gets you so hot that you have to try to assert dominance on an internet forum... I'm sure your mom was proud of you before she died...
right now, @TimboJones is frantically typing up his reply ... make no mistake, my nonsensical comments have short-circuited the 3 remaining neurons that survived his mom's heroin and tylenol use while she was pregnant with him ... all he can do is come up with more cliche insults in response to my ridiculous insults, all while furiously beating off to the tentacle porn playing at full volume on his other monitor... almost there, timmeh... almost there...
Should have never made this thread.
c'mon, @TimboJones ... it's been 20 whole minutes ... lemme have it, man... tell me how terrible I am... how stupid I am... tell me how horrible my grammar is... tell me how I'm ruining your experience of the sacred forum ...
C'MON ... WHAT ARE YOU WAITING FOR!?!?! UNLEASH YOUR RAGE AT ME MAN!!! YOU DIDN'T HOLD BACK IN THE OTHER THREADS!! SAY ALL THE MEAN THINGS SO I KNOW THAT YOU'RE HIGHER STATUS THAN ME!!!
TELL ME I NEED MEDICATED, THAT MY GRAMMAR IS BAD, THAT I'M A HILLBILLY WHO DOESN'T HAVE GOOD READIN' SKILLS AND USES '...' TOO... MANY... TIMES...
WHY ARE YOU HOLDING OUT ON ME TIMMEH!!?!?!???? ... I'M WAITING SO PATIENTLY MAN... DON'T QUIT ON ME NOW, BRO!!!
TELL ME HOW MUCH BETTER THAN ME YOU ARE BECAUSE OF YOUR IMPECCABLE WRITING AND HIGH COMMENT COUNT AND GOOD ENGLISH SKILLS, TIMMY ...
WE ALL NEED TO KNOW HOW MUCH COOLER YOU ARE THAN ANYONE ELSE HERE, ESPECIALLY ME... !!! THIS IS YOUR CHANCE TO SHOW US ALL... LETS GOOOOOO....
WHERE THE HELL ARE YOU TIMMEH?!?!?!?
Thank you for that!
WUT? Some (alleged I guess) linux kernel improvement does not stop all DDOS attacks?! If only one could have seen that!!!
And what if the attackers, as they usually do, send IP4 packets? Strange to only check for one IP version and (as far as I can see) only one packet size (and btw one that not particularly well selected, but probably gives the best result for the author and his 'hurray"' message ...)
Sense?
Oops, they spilled the beans (re IPv6 only)
Edit: WUT? again. Doesn't that guy know that 2 x 128 bits vs 2 x 32 bits makes absolutely no difference and actually only brings loads of advantages. Send some "IPv6 advocates" to that guy! And to the kernel team as well!
(small hint: (particularly) L1 caches do fit 32 bits perfectly well while 128 bits very often needs 2 cache lines. And I know from experience that cache, in particular L1 and L2 often are more relevant for performance than CPU speed. Example: that's one of the reasons why the new Epyc leaves the new Xeon in the dust. source (one of quite few): chipsandcheese).
Thanks again for your helpful "service"!
And for that super-selective mainly nothingburger they force their reader to click accept. Thanks no.
WUT? So faster packet processing works both ways? Who could have known?
I'm certainly no friend of that asshole, but why bring his mother in? Actually she might be a perfectly fine woman.
What I wrote was in no way meant to somehow attack you! Just saying.
yo wut
You're right ... tho in all reality, the only thing that would make this clownshow better is if HIS ACTUAL MOM came on here to crash out at me, too, for my dogshit F-tier communication skills. Man, that'd be a hell of a read with my morning coffee. I hope something like that happens... I can't wait.
... ... ...
He just triggered a response and left. And you my friend, stupidly waiting for a reply, the action which he wanted you to do..... So you are falling on the trap and unless you have some other privileges, your posts may attract warnings from mods.
Thanks for explaining ... such a valuable insight. If I get a warning from the mods, my life will have less meaning.
Somehow this thread is leading nowhere
Thread closed