From nobody Mon May 6 11:17:45 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VXzRB5zSRz5K0Mj; Mon, 06 May 2024 11:17:58 +0000 (UTC) (envelope-from garyj@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "Telekom Security ServerID OV Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VXzR93rCcz42Qf; Mon, 6 May 2024 11:17:57 +0000 (UTC) (envelope-from garyj@gmx.de) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.de header.s=s31663417 header.b=dgL0Uamd; dmarc=pass (policy=quarantine) header.from=gmx.de; spf=pass (mx1.freebsd.org: domain of garyj@gmx.de designates 212.227.17.20 as permitted sender) smtp.mailfrom=garyj@gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1714994266; x=1715599066; i=garyj@gmx.de; bh=PA78DW1DuKBqWkybW9AJ4WVd7Mduvp+qD1+U0HEQulc=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:Message-ID:In-Reply-To: References:Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:cc:content-transfer-encoding: content-type:date:from:message-id:mime-version:reply-to:subject: to; b=dgL0Uamdo++ihrl8nsTNS8dOu4qrsv26dafLU3XINIweJBqe0Z2L7hnC1Y/O9YI6 3QJ+VXbWlqdTSZfYxM1f63pUhV4MSn15VdwcKXOekackgjog2B5IpF3nDtbXXs+El PMzQZ+4XiLkKvdbGw6dyfZZKbFWAS9pY1WReaN9h43ChlJEPzD+1yD34+wlSNqTaJ YkB3e+7ILWu+nKkWsFj71xcKMW4uHNnOcXzHnIHIeWYUMt/UV+FRLeYjGqCYmM/uO XiEvF1Dgp8PDNmclVx/HSRQczqUKCGwgpCbzYorFxYOrGiHBg0DaOBOlTTiAGCPCl VWRhH8/YX2Dg2r7hyQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from ernst.home ([217.226.50.237]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N1wll-1sjtzs3Oht-012KSU; Mon, 06 May 2024 13:17:45 +0200 Date: Mon, 6 May 2024 11:17:45 +0000 From: Gary Jennejohn To: Alexander Leidinger Cc: Randall Stewart , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: fce03f85c5bf - main - TCP can be subject to Sack Attacks lets fix this issue. Message-ID: <20240506131745.22cde441@ernst.home> In-Reply-To: <20240506131136.1bcf87f9@ernst.home> References: <202405051310.445DAMEO069675@gitrepo.freebsd.org> <97c2eddd682d7347b0d26c0f042401bb@Leidinger.net> <20240506131136.1bcf87f9@ernst.home> Reply-To: garyj@gmx.de X-Mailer: Claws Mail 3.20.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:UIoMuWQPHpMOX7LCr0jaF+lLxQGY9ED73tn09zxWkutwZ3GB/Cl 3qmy+E6IeaMvyCEeCVLcKVGTEd8cDwEpo7dAd1hE4oZCwCWWlmx/dZcHeZEvy8FOTD+FTBi XKfsKOOnyyE/6xoTwMVpUnzF/g4dmz6TqEhcVNiC+rF6zVXcHrjhZzlAqQaOtloUM0OvZys m3RhFu2z008/K06WZUuHQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:+oSjnazvzvs=;LaBjPp9t0xh9IZDbKUzcmEzTFLW Rdp1ABZwfAnBJIvgUtH7gzu2clQsN+BTr8kOZ5ROQANDQ/gxkFb2zFRmMvEI4aNTL6uDacYrV lAaL5Fv6e1/6rxX3wTR4C7iSNs/8QdIFE6vS+Q3Hn1jYH7+dUGP9+IbSnSvOKNC/F5DjcAM+S qTT6di9SEtcmvZMui0BWQs2IxIYLp/1uJaaOJlmUx3V2iRP7q6TI6FR7QQhkWMiKBqZD5QauY EXWhD2YvhPMrdaVEpR10rfwxjwima91pZ/JuYk5fo056sbVtSsXJZHBuYIWhIjQoIg5m0Ejzx H9ydc8LS0T4SxMepIHcULb0Nl4YEV21Uw6ayr1qxJ+51oMJaVYQGZ+jYxhcf6+r7bhQSzJ+Af 5oV3xGREIm4nX1Z9ZTdYLJfJNf+V9YG1vb4Z3LdipR5YNESzXmbENVYnCwovzfh9HClbspemv a6reArjzCnGxNQq7uw9Rn+/7OYtHgDVTjlbWBi/xwotVHQSf/3fCdvqyhQ3ev+C0At6vOBvvD A7xmGJ7ypPakz3t1Jjim6WahdIt1OXtDZj7Y8cEgy1Me9ncj9ppVxT2IHzhiwVLvOTTWFOY/c lSJhoq/ak4/tBcRs/zk8j6Yc3IRqY/J8/ZxeUSEWXOMgTs2pQrSG6Pe9vTkDTJfNp3kyd7pWE DEPi5l08Ct4PIFC7QGcHTky50KZ5WJ02oI7R6Op6CY/Q0C2XKBp7KpbDVFK24ZnGfMAp4jR78 e6zleKQxg3ehxgwqfAcXzcvvbDNT+213p44kaF51nxo2D9SI1k6JOi+QN9zETbKF0pPn1AwW4 KM9uW2aJZrxh4qZlprp4giIzvI6HKLXLeJN5Jj7TrAz6w= X-Spamd-Bar: - X-Spamd-Result: default: False [-1.98 / 15.00]; NEURAL_HAM_MEDIUM(-0.99)[-0.994]; NEURAL_SPAM_SHORT(0.73)[0.725]; NEURAL_HAM_LONG(-0.71)[-0.712]; DMARC_POLICY_ALLOW(-0.50)[gmx.de,quarantine]; R_DKIM_ALLOW(-0.20)[gmx.de:s=s31663417]; R_SPF_ALLOW(-0.20)[+a:mout.gmx.net]; ONCE_RECEIVED(0.10)[]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.17.20:from]; MIME_GOOD(-0.10)[text/plain]; FREEMAIL_REPLYTO(0.00)[gmx.de]; FREEMAIL_ENVFROM(0.00)[gmx.de]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_FROM(0.00)[gmx.de]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmx.de:+]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; HAS_REPLYTO(0.00)[garyj@gmx.de] X-Rspamd-Queue-Id: 4VXzR93rCcz42Qf On Mon, 6 May 2024 11:11:36 +0000 Gary Jennejohn wrote: > On Mon, 06 May 2024 09:27:31 +0200 > Alexander Leidinger wrote: > > > Am 2024-05-05 15:10, schrieb Randall Stewart: > > > The branch main has been updated by rrs: > > > > > > URL: > > > https://cgit.FreeBSD.org/src/commit/?id=3Dfce03f85c5bfc0d73fb5c43ac1= affad73efab11a > > > > > > commit fce03f85c5bfc0d73fb5c43ac1affad73efab11a > > > Author: Randall Stewart > > > AuthorDate: 2024-05-05 13:08:47 +0000 > > > Commit: Randall Stewart > > > CommitDate: 2024-05-05 13:08:47 +0000 > > > > > > TCP can be subject to Sack Attacks lets fix this issue. > > > > > > There is a type of attack that a TCP peer can launch on a > > > connection. This is for sure in Rack or BBR and probably even the > > > default stack if it uses lists in sack processing. The idea of the > > > attack is that the attacker is driving you to look at 100's of sack > > > blocks that only update 1 byte. So for example if you have 1 - 10,00= 0 > > > bytes outstanding the attacker sends in something like: > > > > > > ACK 0 SACK(1-512) SACK(1024 - 1536), SACK(2048-2536), SACK(4096 = - > > > 4608), SACK(8192-8704) > > > This first sack looks fine but then the attacker sends > > > > > > ACK 0 SACK(1-512) SACK(1025 - 1537), SACK(2049-2537), SACK(4097 = - > > > 4609), SACK(8193-8705) > > > ACK 0 SACK(1-512) SACK(1027 - 1539), SACK(2051-2539), SACK(4099 = - > > > 4611), SACK(8195-8707) > > > ... > > > These blocks are making you hunt across your linked list and spl= it > > > things up so that you have an entry for every other byte. Has your l= ist > > > grows you spend more and more CPU running through the lists. The ide= a > > > here is the attacker chooses entries as far apart as possible that m= ake > > > you run through the list. This example is small but in theory if the > > > window is open to say 1Meg you could end up with 100's of thousands > > > link list entries. > > > > Would it make sense to use a tree list (generic example: > > https://commons.apache.org/proper/commons-collections/apidocs/org/apac= he/commons/collections4/list/TreeList.html) > > instead of a linked list additional/independently to what you committe= d? > > > > > diff --git a/sys/netinet/tcp_stacks/sack_filter.c > > > b/sys/netinet/tcp_stacks/sack_filter.c > > > index e82fcee2ffac..fc9ee8454a1e 100644 > > > --- a/sys/netinet/tcp_stacks/sack_filter.c > > > +++ b/sys/netinet/tcp_stacks/sack_filter.c > > > > > #ifndef _KERNEL > > > + > > > +static u_int tcp_fixed_maxseg(const struct tcpcb *tp) > > > +{ > > > + /* Lets pretend their are timestamps on for user space */ > > > + return (tp->t_maxseg - 12); > > > +} > > > > Typo in the comment? > > > > Yes. Should be Let's as a contraction of Let us. > And their should be there, which I just noticed. =2D- Gary Jennejohn