Date: Fri, 21 Jul 2017 14:57:45 -0400 From: Matt Riffle <matt@pair.com> To: freebsd-security@freebsd.org Subject: ACK Storm protection? Message-ID: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com>
next in thread | raw e-mail | index | archive | help
Hello, Starting on July 11, I=E2=80=99ve started to see an increasing number of = what appear to be =E2=80=9CACK storms=E2=80=9D affecting a number of = FreeBSD boxes I=E2=80=99m administering. There are a few unsupported = releases mixed in, but, this is also happening on boxes running = 10.3-RELEASE-p3. In the cases we=E2=80=99re seeing, it begins with legitimate TCP traffic = requesting something over HTTP, but soon thereafter we get an out of = window packet and get in to a loop. If anybody is interested or = especially if they=E2=80=99ve experienced something similar, there are a = few more details I could share privately. Setting aside the cause, I=E2=80=99m interested in trying to mitigate = the problem. None of my Ubuntu boxes appear to be affected, I presume = because of these patches Google made to the kernel there: https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html = <https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html>; Is there any equivalent protection for FreeBSD? In my own research = I=E2=80=99ve been unable to find anything. In fact, beyond the message = above you can=E2=80=99t find very much about ACK storms at all. Right now we=E2=80=99re mitigating with custom code that is sniffing = packets and adding temporary firewall rules whenever it sees a loop = start, and that=E2=80=99s working well enough, but, I=E2=80=99d prefer = to handle it at a lower level if possible. Thanks, Matt R.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A>