Re: UDP packet handling weird behaviour of various operating systems

From: Michal Zalewski (lcamtufat_private)
Date: Wed Jul 25 2001 - 14:38:32 PDT

  • Next message: Evan Pierce: "Re: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall" 

    On Tue, 24 Jul 2001, Stefan Laudat wrote:

> /.../ looks like it's rising some problems in a matter of CPU usage
> for handling incoming UDP packets. Its initial aim was another one
> (read the source) but accidentally it can be used for locking up
> machines. You can try it from

> http://rootshell.com/archive-j457nxiqi3gq59dv/199803/biffit.c
> 
> I'm not a TCP stack-writing guru but I presume the behaviour described
> below is way beyond normal, as its results are quite different
> depending on the OS used. Please don't bash me if I'm wrong.

Uh-huh. Tested it on Linux 2.2 and 2.4, can't confirm the problem. It
would be pretty strange, btw, since it simply generates normal UDP packet,
no black magic, really, and remote system, unless there's comast service
running, politely responds with 'ICMP destination port unreachable', which
is translated into 'Connection refused'.

Nothing magic about its behavior:

sendto(4, "test@0", 6, 0, {sin_family=AF_INET, sin_port=htons(512),
sin_addr=inet_addr("127.0.0.1")}}, 16) = -1 ECONNREFUSED (Connection
refused)


> 1. Linux 2.4.7 UP (pristine source, waiting for a new shiny Alan Cox patch) 
> - system gets frozen after 3 seconds of flood on a gigabit link.

Maybe there's comsat service running? Or you made system too busy handling
I/O by flooding using 1 Gbit (I doubt it)...

> 3. Windows 2000 Server UP. - the system graphs jump from 2% cpu usage
> (in a calm evening with no ongoing backups and domain
> synchronizations) to approx. 35% and holds it steady.

Windows are usually impacted by high-ratio packet floods.

> The flood is performed via a Gigabit link. The packet rate handling of
> win2k is wonderful, it even beats an OpenBSD 2.8. Kudos to MS guys,
> this one is a real hit. As I couldn't believe my eyes I ran some
> applications on it (crunching queries on the local MS SQL2k server
> etc) and I got timely-fashion responses.

I believe you are actually testing link layer performance, PCI bus speed
and network cards, not operating systems ;)

-- 
_____________________________________________________
Michal Zalewski [lcamtufat_private] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=

    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 14:36:25 PDT