From owner-freebsd-net@freebsd.org Sun Jul 30 09:25:24 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CE4EDB2D58 for ; Sun, 30 Jul 2017 09:25:24 +0000 (UTC) (envelope-from amutu@amutu.com) Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DE6D36ADCC for ; Sun, 30 Jul 2017 09:25:23 +0000 (UTC) (envelope-from amutu@amutu.com) Received: by mail-oi0-x231.google.com with SMTP id x3so158352511oia.1 for ; Sun, 30 Jul 2017 02:25:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amutu-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tR/Alr1INvm040ybjOAuUOrkmsEPcZChaFHdgZC5LHA=; b=uWXo38YWiqMNhUDSMZOaBAiRV0jkE8w6NxVv0MTG3zCJPTWXoogvgHBkqwikjuvSJn HMhBxodHRukllludCiEbXxN7HyxP/9mZ1TOpaAAOh3GmPWFINBndZy4eBOeg5vIDqCb/ EqHcf7jjD4PcJUmZzoG12gnpdeymPLRDACubSnsSi/ohPBjmUE3wfSz4J2cYej9o/uYw x0Kxs3Djy3NxxOzg9oKBsWQe+W3yfpaNZhmF5xjprJvnRTcFOES0Iaev/qCCmdO0nExF a/iKWa9wtdBPw3MVW8y21vOJRkjJiYQEh1B1jFfgOBVYdRVzuO9necvUEAb9stRLtXPv bNzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tR/Alr1INvm040ybjOAuUOrkmsEPcZChaFHdgZC5LHA=; b=FD3d9wKbaM0J6dLO1TQTMH4llBNvoISfzse0DWA43ubNXIxquc298N5gQUi5/MFqZX Mr3LlnAyczkaiPugvgLVQiqsuxJ7aVBkJHfknJLKqToJTn4tOvehJc+/IZWX8IU34mul 6lemPPL0z4rmeS21qhnRhMIesuKEbGuN3pEakpoWT/XOj45XkXERHU0KYsAnfIzmfHcW MqAf1+T2DH0dUO5Fg8wBmOraX0moRWYeFsWKNOkR1ormRVJyOb3e3W4Vowxd/jNEEAog MpNUpURUmn/A3nrFUXX+/Q/O5VgfbgspjF8DHMx5GqVXN9IzpQ4oht7kF7zBRT5S3Vzy pUeA== X-Gm-Message-State: AIVw1121ic2tFYV1rsu1A1fCPtFbzfMYnSRCdSWUIoc3IRvHZxdru1R8 QpLIe0rze9Y720Bs X-Received: by 10.202.219.198 with SMTP id s189mr12912354oig.103.1501406722858; Sun, 30 Jul 2017 02:25:22 -0700 (PDT) Received: from mail-oi0-f53.google.com (mail-oi0-f53.google.com. [209.85.218.53]) by smtp.gmail.com with ESMTPSA id c8sm7717835oia.36.2017.07.30.02.25.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Jul 2017 02:25:22 -0700 (PDT) Received: by mail-oi0-f53.google.com with SMTP id x3so158352343oia.1; Sun, 30 Jul 2017 02:25:21 -0700 (PDT) X-Received: by 10.202.198.199 with SMTP id w190mr10938188oif.93.1501406721760; Sun, 30 Jul 2017 02:25:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.128.197 with HTTP; Sun, 30 Jul 2017 02:25:01 -0700 (PDT) In-Reply-To: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com> References: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com> From: Jov Date: Sun, 30 Jul 2017 17:25:01 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: ACK Storm protection? To: Matt Riffle Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jul 2017 09:25:24 -0000 =E2=80=8B=E2=80=8B freebsd-net@ added. After google "ack storm freebsd" I find a very old SA: https://www.freebsd.org/security/advisories/FreeBSD-SA-98%3A07.rst.asc mentions: =E2=80=8B + * In the SYN-RECEIVED state, don't send an ACK unless the + * segment we received passes the SYN-RECEIVED ACK test. > + * If it fails send a RST. This breaks the loop in the > + * "LAND" DoS attack, and also prevents an ACK storm > + * between two listening ports that have been sent forged > + * SYN segments, each with the source address of the other. > + */ > + if (tp->t_state =3D=3D TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && > + (SEQ_GT(tp->snd_una, ti->ti_ack) || > + SEQ_GT(ti->ti_ack, tp->snd_max)) ) > + goto dropwithreset;=E2=80=8B Not sure in the established state there also has ACK storm protection. 2017-07-22 2:57 GMT+08:00 Matt Riffle : > Hello, > > Starting on July 11, I=E2=80=99ve started to see an increasing number of = what > appear to be =E2=80=9CACK storms=E2=80=9D affecting a number of FreeBSD b= oxes I=E2=80=99m > administering. There are a few unsupported releases mixed in, but, this = is > also happening on boxes running 10.3-RELEASE-p3. > > In the cases we=E2=80=99re seeing, it begins with legitimate TCP traffic > requesting something over HTTP, but soon thereafter we get an out of wind= ow > packet and get in to a loop. If anybody is interested or especially if > they=E2=80=99ve experienced something similar, there are a few more detai= ls I could > share privately. > > Setting aside the cause, I=E2=80=99m interested in trying to mitigate the > problem. None of my Ubuntu boxes appear to be affected, I presume becaus= e > of these patches Google made to the kernel there: > > https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html < > https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html> > > Is there any equivalent protection for FreeBSD? In my own research I=E2= =80=99ve > been unable to find anything. In fact, beyond the message above you can= =E2=80=99t > find very much about ACK storms at all. > > Right now we=E2=80=99re mitigating with custom code that is sniffing pack= ets and > adding temporary firewall rules whenever it sees a loop start, and that= =E2=80=99s > working well enough, but, I=E2=80=99d prefer to handle it at a lower leve= l if > possible. > > Thanks, > > Matt R. > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > "