Date: Thu, 12 Jan 2012 19:55:47 +0200 From: Nikolay Denev <ndenev@gmail.com> To: freebsd-net@freebsd.org Subject: ICMP attacks against TCP and PMTUD Message-ID: <EE6495BD-38D0-4EBE-9A94-7C40DC69F820@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, A web server that I administer running Nginx and FreeBSD-7.3-STABLE was = recently under a ICMP attack that generated a large amount of outgoing TCP = traffic. With some tcpdump and netflow analysis it was evident that the attachers = are using ICMP host-unreach need-frag messages to make the web server retransmit multiple times, giving a amplification factor of about 1.6. Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and = specifically section 7.2 which discusses countermeasures against such attacks. The text reads : This section describes a modification to the PMTUD mechanism specified in [RFC1191] and [RFC1981] that has been incorporated in OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the blind performance-degrading attack described in Section 7.1. The described counter-measure basically disregards ICMP messages when a connection makes progress, without violating any of the requirements stated in [RFC1191] and [RFC1981]. The RFC is recent (dated from July 2010), and it mentions several times = Linux, Free,Open and NetBSD, but exactly in this paragraph it is mentioning only Net and OpenBSD's, = thus I'm asking if=20 anyone has idea if these modifications were being put into FreeBSD? I quickly glanced upon the source, but the TCP code is a bit too much = for me :) Also if anybody has observed similar attack, how are you protecting = yourself from it? Simply blocking host-unreach need-frag would break PMTUD. P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm = also curious if 8.2 will behave differently. Regards, Nikolay
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EE6495BD-38D0-4EBE-9A94-7C40DC69F820>