From owner-freebsd-net@FreeBSD.ORG Thu Jan 12 17:55:52 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43305106566C for ; Thu, 12 Jan 2012 17:55:52 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id D0C1B8FC1D for ; Thu, 12 Jan 2012 17:55:51 +0000 (UTC) Received: by eeke53 with SMTP id e53so352671eek.13 for ; Thu, 12 Jan 2012 09:55:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:date:subject:to :message-id:mime-version:x-mailer; bh=ceExu6PO2RiI9deJLgeXqE42q3UPnwXAqDWeibtQYKU=; b=rwEOaNN76R/wvBPyOv3MIRTbS4JWaflB7zrA1zPwkapsbLQPJU2IAayDW6jAgUTAr+ JylD6oLit+R2j1RQp/0zZNYbgXgdM0v6So+dDJ8lx1P3nva+0gksGnAgc9xetg+Uztca Hlz/sEDY8BUX/6yKbwy/duVX0rtHkfRezzYqA= Received: by 10.14.3.167 with SMTP id 39mr1775733eeh.6.1326390950704; Thu, 12 Jan 2012 09:55:50 -0800 (PST) Received: from imba-brutale.totalterror.net (93-152-152-135.ddns.onlinedirect.bg. [93.152.152.135]) by mx.google.com with ESMTPS id s16sm22258450eef.2.2012.01.12.09.55.49 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 12 Jan 2012 09:55:49 -0800 (PST) From: Nikolay Denev Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 12 Jan 2012 19:55:47 +0200 To: freebsd-net@freebsd.org Message-Id: Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) Subject: ICMP attacks against TCP and PMTUD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 17:55:52 -0000 Hello, A web server that I administer running Nginx and FreeBSD-7.3-STABLE was = recently under a ICMP attack that generated a large amount of outgoing TCP = traffic. With some tcpdump and netflow analysis it was evident that the attachers = are using ICMP host-unreach need-frag messages to make the web server retransmit multiple times, giving a amplification factor of about 1.6. Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and = specifically section 7.2 which discusses countermeasures against such attacks. The text reads : This section describes a modification to the PMTUD mechanism specified in [RFC1191] and [RFC1981] that has been incorporated in OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the blind performance-degrading attack described in Section 7.1. The described counter-measure basically disregards ICMP messages when a connection makes progress, without violating any of the requirements stated in [RFC1191] and [RFC1981]. The RFC is recent (dated from July 2010), and it mentions several times = Linux, Free,Open and NetBSD, but exactly in this paragraph it is mentioning only Net and OpenBSD's, = thus I'm asking if=20 anyone has idea if these modifications were being put into FreeBSD? I quickly glanced upon the source, but the TCP code is a bit too much = for me :) Also if anybody has observed similar attack, how are you protecting = yourself from it? Simply blocking host-unreach need-frag would break PMTUD. P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm = also curious if 8.2 will behave differently. Regards, Nikolay