From owner-freebsd-net@FreeBSD.ORG Sun Jan 15 18:59:38 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C60B1065678 for ; Sun, 15 Jan 2012 18:59:38 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9E1538FC08 for ; Sun, 15 Jan 2012 18:59:37 +0000 (UTC) Received: by eeke53 with SMTP id e53so1214005eek.13 for ; Sun, 15 Jan 2012 10:59:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=8ZK9YnQDD7MKgplb35J4y7hlaK/kgrJpkAGHnB6s5mg=; b=w/rh45orY8FUMH/1P2Bm/gvWuOru48EckWQDXjuwBTFN5WF4PbDfOSQ9BB1UUrOxFO wAetarKSH35Gb4d3QBnC6I1ULCXTiPHCVQEjArC4UY+xlKHC4ZZGRkWNrWmVL3PY+jb8 zf5PGgXcaMwxOm9vyeN29EYeU/RSpY8XkOuOw= Received: by 10.213.35.4 with SMTP id n4mr2780472ebd.85.1326653976373; Sun, 15 Jan 2012 10:59:36 -0800 (PST) Received: from imba-brutale.totalterror.net (93-152-152-135.ddns.onlinedirect.bg. [93.152.152.135]) by mx.google.com with ESMTPS id 76sm62001807eeh.0.2012.01.15.10.59.33 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 15 Jan 2012 10:59:35 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=windows-1252 From: Nikolay Denev In-Reply-To: <4F131A7D.4020006@zonov.org> Date: Sun, 15 Jan 2012 20:59:32 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <733BE6AF-33E0-4C16-A222-B5F5D0519194@gmail.com> References: <4F131A7D.4020006@zonov.org> To: Andrey Zonov X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-net@freebsd.org Subject: Re: ICMP attacks against TCP and PMTUD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2012 18:59:38 -0000 On Jan 15, 2012, at 8:27 PM, Andrey Zonov wrote: > Hi, >=20 > Could you please show the output of `vmstat -z | grep hostcache'? >=20 > On 12.01.2012 21:55, Nikolay Denev wrote: >> Hello, >>=20 >> A web server that I administer running Nginx and FreeBSD-7.3-STABLE = was recently >> under a ICMP attack that generated a large amount of outgoing TCP = traffic. >> With some tcpdump and netflow analysis it was evident that the = attachers are using >> ICMP host-unreach need-frag messages to make the web server >> retransmit multiple times, giving a amplification factor of about = 1.6. >> Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and = specifically section 7.2 >> which discusses countermeasures against such attacks. The text reads = : >>=20 >> This section describes a modification to the PMTUD mechanism >> specified in [RFC1191] and [RFC1981] that has been incorporated in >> OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the >> blind performance-degrading attack described in Section 7.1. The >> described counter-measure basically disregards ICMP messages when = a >> connection makes progress, without violating any of the = requirements >> stated in [RFC1191] and [RFC1981]. >>=20 >> The RFC is recent (dated from July 2010), and it mentions several = times Linux, Free,Open and NetBSD, >> but exactly in this paragraph it is mentioning only Net and = OpenBSD's, thus I'm asking if >> anyone has idea if these modifications were being put into FreeBSD? >>=20 >> I quickly glanced upon the source, but the TCP code is a bit too much = for me :) >>=20 >> Also if anybody has observed similar attack, how are you protecting = yourself from it? >> Simply blocking host-unreach need-frag would break PMTUD. >>=20 >> P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm = also curious if 8.2 will behave differently. >>=20 >> Regards, >> Nikolay >>=20 >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to = "freebsd-net-unsubscribe@freebsd.org" >=20 > --=20 > Andrey Zonov % uptime=20 7:57PM up 608 days, 4:06, 1 user, load averages: 0.30, 0.21, 0.17 % vmstat -z|grep hostcache hostcache: 136, 15372, 15136, 236, 44946965, = 10972760 Hmm=85 probably I should increase this=85.