From owner-freebsd-chat Tue Sep 24 9:35:19 2002 Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8918337B404 for ; Tue, 24 Sep 2002 09:35:17 -0700 (PDT) Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 537C643E77 for ; Tue, 24 Sep 2002 09:35:16 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from pool0304.cvx21-bradley.dialup.earthlink.net ([209.179.193.49] helo=mindspring.com) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 17tseS-0003Yg-00; Tue, 24 Sep 2002 09:35:09 -0700 Message-ID: <3D9093FB.36A193FE@mindspring.com> Date: Tue, 24 Sep 2002 09:34:03 -0700 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Eric Anderson Cc: freebsd-chat@freebsd.org Subject: Re: FreeBSD NFS server using two NICs References: <3D8A3E52.2090202@centtech.com> <3D8A428B.B96FBE75@mindspring.com> <3D8A458B.2080608@centtech.com> <3D8A4B40.67C8E2A2@mindspring.com> <3D8F66AB.8020309@centtech.com> <3D8F8401.E77A5DA9@mindspring.com> <3D9061C9.5050409@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric Anderson wrote: > > Make it all fit in one packet. I don't know what options, etc., > > you are using. I would suggest 1K (1024), so that it will fit > > in a single packet, even with some extra options set. > > > > 1500 is the standard MTU... if it looks small to you, you must > > have some really whacked-out hardware... and it must violate the > > ethernet standards. 8-). > > I meant the read/write size seems small to be set at 1500 or 1k. That > would significantly reduce performance, correct? Right now it's not working. Whatever you do, will not "reduce performance" from that. The answer is: if you want a data window larger than the MTU, use a transport protocol that supports data windows, instead of trying to abuse the packet reassembly buffer as a fixed window, rather than a sliding window. > > Feel free to switch to an 8K (8192) or large read/write size, > > *IF you use TCP instead of UDP*. > > I think you are on to something here - I and using TCP only, and it's > working fine using both interfaces. UDP strikes again! damn.. 8-). Good. Technically, FreeBSD has a DOS vulnerability here, in the UDP large packet reassembly case, but technically, people are not supposed to use large UDP packets in the first place, and very few services export UDP onto the live Internet. I imagine that if one wanted to exploit this, they could use very large UDP DNS "requests", which never get out of the packet reassembly buffer, e.g. send 63 out of 64 packets, and never send the first one. The funny part, though, is that DNS over UDP goes to TCP if the packet size goes over what would fit in a single UDP packet, so legitimate requests never use the packet reassembly buffer. The upshot is that this "DOS attack" would only result in the limit of the memory for the packet reassembly queue being consumed, and no legitimate traffic failing (since it would go right through without being enqueued for reassembly). So I guess the only system that would be vulnerable to this would be one that exported two UDP services, one which habitually abused large UDP packets to fake a window -- basically, Linux NFS. 8-). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message