From owner-freebsd-net@FreeBSD.ORG Fri Jan 13 15:29:32 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D2C7106566B for ; Fri, 13 Jan 2012 15:29:32 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0993F8FC0C for ; Fri, 13 Jan 2012 15:29:31 +0000 (UTC) Received: by eaai12 with SMTP id i12so244294eaa.13 for ; Fri, 13 Jan 2012 07:29:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=9pAc87DeUKXNGRkGsrRmiqQJxQJUxHRoCca70zT0Bbc=; b=f2kJixDyZEeB89yF682+VsUhkpHsb+d4zZbvfUt3SEl3MMwNwX9utL4zedEV8gx74v 2l44qRS17geRv+q5/wzRnUT1MeuwPnX3jq2JEX1IxNz0Hel2yNWsDLerWNN4vRGUVr+U mcoXiwowgGVDNmcgOz4O1UCFCu1ZQc19LwM5w= Received: by 10.213.19.136 with SMTP id a8mr63443ebb.76.1326468570668; Fri, 13 Jan 2012 07:29:30 -0800 (PST) Received: from ndenevsa.sf.moneybookers.net (g1.moneybookers.com. [217.18.249.148]) by mx.google.com with ESMTPS id x43sm30657060eef.8.2012.01.13.07.29.28 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 13 Jan 2012 07:29:29 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: Nikolay Denev In-Reply-To: <4F0FFDC9.1090503@freebsd.org> Date: Fri, 13 Jan 2012 17:29:25 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <897A1A91-61DB-4783-B38A-C77DBC54DD45@gmail.com> References: <4F0FFDC9.1090503@freebsd.org> To: Andre Oppermann X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-net@freebsd.org Subject: Re: ICMP attacks against TCP and PMTUD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2012 15:29:32 -0000 On Jan 13, 2012, at 11:47 AM, Andre Oppermann wrote: > On 12.01.2012 18:55, Nikolay Denev wrote: >> Hello, >>=20 >> A web server that I administer running Nginx and FreeBSD-7.3-STABLE = was recently >> under a ICMP attack that generated a large amount of outgoing TCP = traffic. >> With some tcpdump and netflow analysis it was evident that the = attachers are using >> ICMP host-unreach need-frag messages to make the web server >> retransmit multiple times, giving a amplification factor of about = 1.6. >> Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and = specifically section 7.2 >> which discusses countermeasures against such attacks. The text reads = : >>=20 >> This section describes a modification to the PMTUD mechanism >> specified in [RFC1191] and [RFC1981] that has been incorporated in >> OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the >> blind performance-degrading attack described in Section 7.1. The >> described counter-measure basically disregards ICMP messages when = a >> connection makes progress, without violating any of the = requirements >> stated in [RFC1191] and [RFC1981]. >>=20 >> The RFC is recent (dated from July 2010), and it mentions several = times Linux, Free,Open and NetBSD, >> but exactly in this paragraph it is mentioning only Net and = OpenBSD's, thus I'm asking if >> anyone has idea if these modifications were being put into FreeBSD? >=20 > We haven't implemented this (yet). >=20 >> I quickly glanced upon the source, but the TCP code is a bit too much = for me :) >>=20 >> Also if anybody has observed similar attack, how are you protecting = yourself from it? >> Simply blocking host-unreach need-frag would break PMTUD. >=20 > We have a sysctl called "net.inet.tcp.minmss" which lower-bounds the > MSS we accept in SYN and ICMP need frag messages. It defaults to 216 > as 256 is the smallest allowable MTU in the Internet. The only known > user of MTU 256 is packet radio which isn't exactly much used on the > common Internet. You should be able to safely increase this value to > 536. If you are willing to live with a little bit of fall-out then > 1220 is a good value as well. >=20 >> P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm = also curious if 8.2 will behave differently. >=20 > No. >=20 > --=20 > Andre Thanks for the info Andre. I'm now looking again at the pcap and I'm a bit confused. First the possible attacker sends the ICMP need-frag packets with "MTU = of next hop" set to zero, which in 2012 shouldn't be very common? Then when my server sends 66 byte FIN/ACK packet, the attacker continues to send need-frag ICMPs and the FreeBSD host = sends again FIN/ACK packets. Later on he sends again ICMP need-frag packets, but with size of about = 1048 bytes, with very large part of the original packets payload, instead of the = required several bytes, this then triggers excessive retransmits from the FreeBSD host which = generates a lot of traffic. The retransmits are roughly ~300-500 byte packets.