Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Jan 2012 22:27:09 +0400
From:      Andrey Zonov <andrey@zonov.org>
To:        Nikolay Denev <ndenev@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ICMP attacks against TCP and PMTUD
Message-ID:  <4F131A7D.4020006@zonov.org>
In-Reply-To: <EE6495BD-38D0-4EBE-9A94-7C40DC69F820@gmail.com>
References:  <EE6495BD-38D0-4EBE-9A94-7C40DC69F820@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

Could you please show the output of `vmstat -z | grep hostcache'?

On 12.01.2012 21:55, Nikolay Denev wrote:
> Hello,
>
> A web server that I administer running Nginx and FreeBSD-7.3-STABLE was recently
> under a ICMP attack that generated a large amount of outgoing TCP traffic.
> With some tcpdump and netflow analysis it was evident that the attachers are using
> ICMP host-unreach need-frag messages to make the web server
> retransmit multiple times, giving a amplification factor of about 1.6.
> Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and specifically section 7.2
> which discusses countermeasures against such attacks. The text reads :
>
>     This section describes a modification to the PMTUD mechanism
>     specified in [RFC1191] and [RFC1981] that has been incorporated in
>     OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the
>     blind performance-degrading attack described in Section 7.1.  The
>     described counter-measure basically disregards ICMP messages when a
>     connection makes progress, without violating any of the requirements
>     stated in [RFC1191] and [RFC1981].
>
> The RFC is recent (dated from July 2010), and it mentions several times Linux, Free,Open and NetBSD,
> but exactly in this paragraph it is mentioning only Net and OpenBSD's, thus I'm asking if
> anyone has idea if these modifications were being put into FreeBSD?
>
> I quickly glanced upon the source, but the TCP code is a bit too much for me :)
>
> Also if anybody has observed similar attack, how are you protecting yourself from it?
> Simply blocking host-unreach need-frag would break PMTUD.
>
> P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm also curious if 8.2 will behave differently.
>
> Regards,
> Nikolay
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

-- 
Andrey Zonov



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F131A7D.4020006>