Pushing the envelope

Darren's take on Java, agile methods, cool open source stuff, interesting technologies and other random wanderings through the land of blog. 		Updated: 26/01/2003; 11:51:02.
Places to go
Apache Jakarta Project
c2.com
ExtremeProgramming.org
OpenSymphony
XProgramming.com
XP Developer

People to see
Russell Beattie
Eugene Belyaev
Tony Bowden
Mike Cannon-Brookes
Jeff Duska
Paul Hammant
Scott Johnson
Brett Morgan
Rickard Öberg
James Strachan
Joe Walnes

Things to do

Subscribe to "Pushing the envelope" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.


That was the day
November 2002
Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
Oct   Dec

Archives
December 2002
November 2002
October 2002
September 2002
August 2002

Listening To


Valid RSS

Click here to visit the Radio UserLand website.

  14 November 2002

Internet not obsolete yet

The Top Seven Things Wrong with the Internet. The Internet is in serious need of an upgrade in a number of areas. Some of these problems already have fixes, they're just not being rolled out because it's considered too hard, or there are large vested interests in maintaining the status quo. (This was originally going to be a top ten, but I ran out of writing time during my lunch hour. I may amend the list later.) (1003 Words) [The Fishbowl]

To address some of your points:

1. DDOS attacks. ISP's already have the ability to contain some of these and make them less damaging. Its called something like 'Packet Egress Filtering'. One of the ways that DDOS attacks like SYN floods and the 'ping of death' work is that they get lots of machines to send packets with spoofed IP addresses. In the example of SYN floods (as I understand it - I may be wrong) zombie machines are instructed to send out TCP SYN requests (the initial 'handshake' request for opening a connection to another machine), with the source IP spoofed to be that of the machine being targeted for the denial-of-service. A server receiving a SYN request will send an ACK response to the source IP to acknowledge the connection. If sufficient zombies are all sending spoofed SYN packets, the target is buried under a flood of ACK packets all coming from well-meaning servers that are under the impression it tried to initiate a connection with them. The really sneaky part is that each individual middle-man machine would only see a very minor increase in traffic, as its the aggregated total of all the middle-men sending ACK's that swamps the target system. A variation of this (I'm more fuzzy on this one so I may be even more wrong) is sending SYN packets directly to the victim system, with source IP's spoofed to be non-existant. The victim will try and send an ACK response, which will go nowhere, so it will try again, several times before giving up. Given enough SYN packets, it will eventually be spending its entire time trying to send ACK's and not servicing genuine requests.

How does egress filtering address these issues? An ISP knows which IP address ranges belong to it, and could put this data into their routers, such that any packet that arrives at the inside edge of their network that claims to be from an IP that is NOT within the ISP's allocated range could simply be dropped. This would prevent packets with spoofed source IP addresses ever getting out of the originating network.

This is about the limits of my knowledge on this. More info: here, and here

3. IP numbers. IPv6 is on its way, with mind-boggling numbers of er, numbers, unfortunately inertia (and upgrade cost) is against us on this one. It will get here eventually (I hope).

7. Amero-centricity. Agreed. :)


9:15:24 PM      comment []

Refuse Collection Engineering

Turbo-charging Java HotSpot Virtual Machine, v1.4.x to Improve the Performance and Scalability of Application Servers. This paper describes the requirements of a Telecommunication (Telco) application server written in Java, and how those requirements might influence Java virtual machine design. Most of the discussion is not limited to Telco alone, but applies to the enterprise as well. [Java-Channel]

Some serious detail on java garbage collection here. Tweaking GC can have major impacts on application performance. I've obtained speed-ups of up to 500% on batch operations (turning a 1-hour task into a 12 minute one) by doing this. For almost all server-side or long-running batch applications, the default young generation size is way, way too small, and should be increased to a significant proportion of the JVM's maximum memory.

-verbose:gc
is your friend.

8:41:08 PM      comment []

Healthy Competition

Aspects and Attributes are both Big News in java blog land currently. I'll say this about MS: one positive thing .net has done is kicked us all in our complacency, and inspired a whole raft of really excellent projects. Its great to see the number of committed java people who are out there learning from .net and adding the good bits to java.


9:58:58 AM      comment []

© Copyright 2003 Darren Hobbs