From owner-freebsd-security@freebsd.org Fri Jul 21 19:04:32 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 263EFDAEE03 for ; Fri, 21 Jul 2017 19:04:32 +0000 (UTC) (envelope-from matt@pair.com) Received: from phi.pair.com (phi.pair.com [216.92.130.221]) by mx1.freebsd.org (Postfix) with ESMTP id DB6F980217 for ; Fri, 21 Jul 2017 19:04:31 +0000 (UTC) (envelope-from matt@pair.com) Received: from [192.168.42.10] (iphi.pair.com [216.92.130.103]) by phi.pair.com (Postfix) with ESMTPSA id 0552D8FC1E for ; Fri, 21 Jul 2017 14:57:46 -0400 (EDT) From: Matt Riffle Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: ACK Storm protection? Message-Id: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com> Date: Fri, 21 Jul 2017 14:57:45 -0400 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3273) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 19:04:32 -0000 Hello, Starting on July 11, I=E2=80=99ve started to see an increasing number of = what appear to be =E2=80=9CACK storms=E2=80=9D affecting a number of = FreeBSD boxes I=E2=80=99m administering. There are a few unsupported = releases mixed in, but, this is also happening on boxes running = 10.3-RELEASE-p3. In the cases we=E2=80=99re seeing, it begins with legitimate TCP traffic = requesting something over HTTP, but soon thereafter we get an out of = window packet and get in to a loop. If anybody is interested or = especially if they=E2=80=99ve experienced something similar, there are a = few more details I could share privately. Setting aside the cause, I=E2=80=99m interested in trying to mitigate = the problem. None of my Ubuntu boxes appear to be affected, I presume = because of these patches Google made to the kernel there: https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html = Is there any equivalent protection for FreeBSD? In my own research = I=E2=80=99ve been unable to find anything. In fact, beyond the message = above you can=E2=80=99t find very much about ACK storms at all. Right now we=E2=80=99re mitigating with custom code that is sniffing = packets and adding temporary firewall rules whenever it sees a loop = start, and that=E2=80=99s working well enough, but, I=E2=80=99d prefer = to handle it at a lower level if possible. Thanks, Matt R.