From owner-freebsd-current@FreeBSD.ORG Fri Jan 9 08:40:42 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C78116A4CE; Fri, 9 Jan 2004 08:40:42 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2D6243D1D; Fri, 9 Jan 2004 08:40:40 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i09Gd4Ud064009; Fri, 9 Jan 2004 11:39:04 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i09Gd3XW064006; Fri, 9 Jan 2004 11:39:03 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Fri, 9 Jan 2004 11:39:03 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Dan Nelson In-Reply-To: <20040109160810.GB4168@dan.emsphone.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Thorsten Greiner cc: Andre Oppermann cc: ticso@cicely.de cc: current@freebsd.org Subject: Re: the TCP MSS resource exhaustion commit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 16:40:42 -0000 On Fri, 9 Jan 2004, Dan Nelson wrote: > In the last episode (Jan 09), Andre Oppermann said: > > Bernd Walter wrote: > > > On Fri, Jan 09, 2004 at 03:23:53PM +0100, Andre Oppermann wrote: > > > > Thorsten Greiner wrote: > > > > > While I have read your commit message thoroughly I am not sure > > > > > I have understood the consequences of the new mechanism. Will > > > > > the exchange of many small packets trigger a connection drop? > > > > > > > > Yes. Once you receive more than 1,000 tcp packets per second > > > > whose average size is below the net.inet.tcp.minmss value, then > > > > it will assume a malicious DoS attack. It appears that the > > > > default value of 1,000 is too low. > > > > The detection logic only applies to TCP packets containing payload, > > not to ACKs or anything else. > > The Oracle case was probably triggered by the ping-ponging effect that > running many small queries causes. People running MySQL as a backend > for webservers will probably trigger the same thing. > > You should probably also ignore any connections originating from local > networks, ignore any connections where TCP_NODELAY is set (which will > cover the ssh case), and ignore packets where the reply has data in it > (which will cover Oracle, MySQL, xmlrpc, NFS, NIS, and any other > request-reply protocol with small packets). I guess my basic worry in this conversation is that fundamentally, the rate detection and "stop" approach is based on a common case heuristic: "Most well behaved applications don't...". Unfortunately, I have the feeling we're going to run into a lot of exceptions, and while we can improve the heuristic, I can't help but wonder if we shouldn't disable the heuristic by default, and provide better reporting so that sites can tell if the heuristic *would* enable protection, and then they can optionally turn it on at their choice... I.e., a console message or sysctl that can be monitored. It's not hard for me to imagine a lot of RPC content being sent over TCP connections with small packet sizes: multiplexing is a commonly used approach, especially now that every protocol runs over HTTP :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research