From owner-freebsd-net@FreeBSD.ORG Sun Jan 15 18:50:33 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A86511065673 for ; Sun, 15 Jan 2012 18:50:33 +0000 (UTC) (envelope-from andrey@zonov.org) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 397588FC08 for ; Sun, 15 Jan 2012 18:50:32 +0000 (UTC) Received: by bke11 with SMTP id 11so893807bke.13 for ; Sun, 15 Jan 2012 10:50:32 -0800 (PST) Received: by 10.205.37.198 with SMTP id tf6mr3546391bkb.68.1326652031806; Sun, 15 Jan 2012 10:27:11 -0800 (PST) Received: from [10.254.254.77] (ppp95-165-126-65.pppoe.spdop.ru. [95.165.126.65]) by mx.google.com with ESMTPS id n9sm33704033bkg.8.2012.01.15.10.27.10 (version=SSLv3 cipher=OTHER); Sun, 15 Jan 2012 10:27:11 -0800 (PST) Message-ID: <4F131A7D.4020006@zonov.org> Date: Sun, 15 Jan 2012 22:27:09 +0400 From: Andrey Zonov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.24) Gecko/20100228 Thunderbird/2.0.0.24 Mnenhy/0.7.6.0 MIME-Version: 1.0 To: Nikolay Denev References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ICMP attacks against TCP and PMTUD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2012 18:50:33 -0000 Hi, Could you please show the output of `vmstat -z | grep hostcache'? On 12.01.2012 21:55, Nikolay Denev wrote: > Hello, > > A web server that I administer running Nginx and FreeBSD-7.3-STABLE was recently > under a ICMP attack that generated a large amount of outgoing TCP traffic. > With some tcpdump and netflow analysis it was evident that the attachers are using > ICMP host-unreach need-frag messages to make the web server > retransmit multiple times, giving a amplification factor of about 1.6. > Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and specifically section 7.2 > which discusses countermeasures against such attacks. The text reads : > > This section describes a modification to the PMTUD mechanism > specified in [RFC1191] and [RFC1981] that has been incorporated in > OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the > blind performance-degrading attack described in Section 7.1. The > described counter-measure basically disregards ICMP messages when a > connection makes progress, without violating any of the requirements > stated in [RFC1191] and [RFC1981]. > > The RFC is recent (dated from July 2010), and it mentions several times Linux, Free,Open and NetBSD, > but exactly in this paragraph it is mentioning only Net and OpenBSD's, thus I'm asking if > anyone has idea if these modifications were being put into FreeBSD? > > I quickly glanced upon the source, but the TCP code is a bit too much for me :) > > Also if anybody has observed similar attack, how are you protecting yourself from it? > Simply blocking host-unreach need-frag would break PMTUD. > > P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm also curious if 8.2 will behave differently. > > Regards, > Nikolay > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- Andrey Zonov