Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP packet handling weird behaviour of various operating systems

From: Michal Zalewski <lcamtuf () gis net>
Date: Wed, 25 Jul 2001 17:38:32 -0400 (EDT)
On Tue, 24 Jul 2001, Stefan Laudat wrote:


/.../ looks like it's rising some problems in a matter of CPU usage
for handling incoming UDP packets. Its initial aim was another one
(read the source) but accidentally it can be used for locking up
machines. You can try it from



http://rootshell.com/archive-j457nxiqi3gq59dv/199803/biffit.c

I'm not a TCP stack-writing guru but I presume the behaviour described
below is way beyond normal, as its results are quite different
depending on the OS used. Please don't bash me if I'm wrong.


Uh-huh. Tested it on Linux 2.2 and 2.4, can't confirm the problem. It
would be pretty strange, btw, since it simply generates normal UDP packet,
no black magic, really, and remote system, unless there's comast service
running, politely responds with 'ICMP destination port unreachable', which
is translated into 'Connection refused'.

Nothing magic about its behavior:

sendto(4, "test@0", 6, 0, {sin_family=AF_INET, sin_port=htons(512),
sin_addr=inet_addr("127.0.0.1")}}, 16) = -1 ECONNREFUSED (Connection
refused)



1. Linux 2.4.7 UP (pristine source, waiting for a new shiny Alan Cox patch) 
- system gets frozen after 3 seconds of flood on a gigabit link.


Maybe there's comsat service running? Or you made system too busy handling
I/O by flooding using 1 Gbit (I doubt it)...


3. Windows 2000 Server UP. - the system graphs jump from 2% cpu usage
(in a calm evening with no ongoing backups and domain
synchronizations) to approx. 35% and holds it steady.


Windows are usually impacted by high-ratio packet floods.


The flood is performed via a Gigabit link. The packet rate handling of
win2k is wonderful, it even beats an OpenBSD 2.8. Kudos to MS guys,
this one is a real hit. As I couldn't believe my eyes I ran some
applications on it (crunching queries on the local MS SQL2k server
etc) and I got timely-fashion responses.


I believe you are actually testing link layer performance, PCI bus speed
and network cards, not operating systems ;)

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
Previous By Date Next
Previous By Thread Next

Current thread: