Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Jan 2012 20:59:32 +0200
From:      Nikolay Denev <ndenev@gmail.com>
To:        Andrey Zonov <andrey@zonov.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ICMP attacks against TCP and PMTUD
Message-ID:  <733BE6AF-33E0-4C16-A222-B5F5D0519194@gmail.com>
In-Reply-To: <4F131A7D.4020006@zonov.org>
References:  <EE6495BD-38D0-4EBE-9A94-7C40DC69F820@gmail.com> <4F131A7D.4020006@zonov.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 15, 2012, at 8:27 PM, Andrey Zonov wrote:

> Hi,
>=20
> Could you please show the output of `vmstat -z | grep hostcache'?
>=20
> On 12.01.2012 21:55, Nikolay Denev wrote:
>> Hello,
>>=20
>> A web server that I administer running Nginx and FreeBSD-7.3-STABLE =
was recently
>> under a ICMP attack that generated a large amount of outgoing TCP =
traffic.
>> With some tcpdump and netflow analysis it was evident that the =
attachers are using
>> ICMP host-unreach need-frag messages to make the web server
>> retransmit multiple times, giving a amplification factor of about =
1.6.
>> Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and =
specifically section 7.2
>> which discusses countermeasures against such attacks. The text reads =
:
>>=20
>>    This section describes a modification to the PMTUD mechanism
>>    specified in [RFC1191] and [RFC1981] that has been incorporated in
>>    OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the
>>    blind performance-degrading attack described in Section 7.1.  The
>>    described counter-measure basically disregards ICMP messages when =
a
>>    connection makes progress, without violating any of the =
requirements
>>    stated in [RFC1191] and [RFC1981].
>>=20
>> The RFC is recent (dated from July 2010), and it mentions several =
times Linux, Free,Open and NetBSD,
>> but exactly in this paragraph it is mentioning only Net and =
OpenBSD's, thus I'm asking if
>> anyone has idea if these modifications were being put into FreeBSD?
>>=20
>> I quickly glanced upon the source, but the TCP code is a bit too much =
for me :)
>>=20
>> Also if anybody has observed similar attack, how are you protecting =
yourself from it?
>> Simply blocking host-unreach need-frag would break PMTUD.
>>=20
>> P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm =
also curious if 8.2 will behave differently.
>>=20
>> Regards,
>> Nikolay
>>=20
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to =
"freebsd-net-unsubscribe@freebsd.org"
>=20
> --=20
> Andrey Zonov


% uptime=20
 7:57PM  up 608 days,  4:06, 1 user, load averages: 0.30, 0.21, 0.17

% vmstat -z|grep hostcache
hostcache:                136,    15372,    15136,      236, 44946965, =
10972760


Hmm=85 probably I should increase this=85.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?733BE6AF-33E0-4C16-A222-B5F5D0519194>