Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Jan 2012 17:01:06 +0200
From:      Nikolay Denev <ndenev@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   Re: ICMP attacks against TCP and PMTUD
Message-ID:  <D5CAE132-DF5A-4867-8C13-4D00DBC0EEBA@gmail.com>
In-Reply-To: <7D135FA9-6503-4263-AE55-5C80F94CDF5A@gmail.com>
References:  <EE6495BD-38D0-4EBE-9A94-7C40DC69F820@gmail.com> <4F131A7D.4020006@zonov.org> <733BE6AF-33E0-4C16-A222-B5F5D0519194@gmail.com> <12379405.15603.1326656127893.JavaMail.mobile-sync@vbzh28> <3008402354236887854@unknownmsgid> <7D135FA9-6503-4263-AE55-5C80F94CDF5A@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Jan 20, 2012, at 10:32 AM, Nikolay Denev wrote:

> On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote:
>=20
>> On 15.01.2012, at 21:35, Andrey Zonov <andrey@zonov.org> wrote:
>>=20
>>> This helped me:
>>> /boot/loader.conf
>>> net.inet.tcp.hostcache.hashsizee536
>>> net.inet.tcp.hostcache.cachelimit=1966080
>>>=20
>>> Actually, this is a workaround.  As I remember, real problem is in
>>> tcp_ctlinput(), it could not update MTU for destination IP if =
hostcache
>>> allocation fails.  tcp_hc_updatemtu() should returns NULL if
>>> tcp_hc_insert() returns NULL and tcp_ctlinput() should check this =
case
>>> and sets updated MTU for this particular connection if
>>> tcp_hc_updatemtu() fails.  Otherwise we've got infinite loop in MTU
>>> discovery.
>>>=20
>>>=20
>>> On 15.01.2012 22:59, Nikolay Denev wrote:
>>>>=20
>>>> % uptime
>>>> 7:57PM  up 608 days,  4:06, 1 user, load averages: 0.30, 0.21, 0.17
>>>>=20
>>>> % vmstat -z|grep hostcache
>>>> hostcache:                136,    15372,    15136,      236, =
44946965, 10972760
>>>>=20
>>>>=20
>>>> Hmm=85 probably I should increase this=85.
>>>>=20
>>>=20
>>> --
>>> Andrey Zonov
>>=20
>> Thanks, I will test this asap!
>>=20
>> Regards,
>> Nikolay
>=20
> I've upgraded from 7.3-STABLE to 8.2-STABLE and bumped significantly =
the hostcache tunables.
> So far so good, I'll report back if I see similar traffic spikes.
>=20

Seems like I have been wrong about these traffic spikes being attacks, =
and
actually the problem seems to be the pmtu infinite loop Andrey =
described.
I'm now running 8.2-STABLE with hostcache significantly bumped and =
regularly
have more than 20K hostcache entries, which was more than the default =
limit of 15K I was running with before.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5CAE132-DF5A-4867-8C13-4D00DBC0EEBA>