We recently had a server come under attack. Some script monkeys
started generating a bunch of pings and SYNs from a huge variety of
spoofed addresses (mostly in 22.214.171.124/8 and 126.96.36.199/8, for those that
There were so many forged packets that the destination cache began to
overflow hundreds or thousands of times per second ("kernel: dst cache
overflow"). This had a huge negative impact on server performance.
Adjusting net/ipv4/route/(max_size|gc_interval) or flushing the route
cache manually on a regular basis seemed to have little or no
measurable impact on the problem. While IDS and manual filtering at
the firewall eventually resolved the problem, how do we protect
ourselves against this sort of attack in the future? Can the route
cache be disabled? The overflow path made less catastrophic?
Patrick Michael Kane
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/