Date: Sun, 30 Jul 2017 17:25:01 +0800 From: Jov <amutu@amutu.com> To: Matt Riffle <matt@pair.com> Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: ACK Storm protection? Message-ID: <CADyrUxOXMZ=kZ0KReTAKrLa15Q8zdB4TrNSKWSuwJbRvpoHbQA@mail.gmail.com> In-Reply-To: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com> References: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com>
next in thread | previous in thread | raw e-mail | index | archive | help
=E2=80=8B=E2=80=8B freebsd-net@ added. After google "ack storm freebsd" I find a very old SA: https://www.freebsd.org/security/advisories/FreeBSD-SA-98%3A07.rst.asc mentions: =E2=80=8B + * In the SYN-RECEIVED state, don't send an ACK unless the + * segment we received passes the SYN-RECEIVED ACK test. > + * If it fails send a RST. This breaks the loop in the > + * "LAND" DoS attack, and also prevents an ACK storm > + * between two listening ports that have been sent forged > + * SYN segments, each with the source address of the other. > + */ > + if (tp->t_state =3D=3D TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && > + (SEQ_GT(tp->snd_una, ti->ti_ack) || > + SEQ_GT(ti->ti_ack, tp->snd_max)) ) > + goto dropwithreset;=E2=80=8B Not sure in the established state there also has ACK storm protection. 2017-07-22 2:57 GMT+08:00 Matt Riffle <matt@pair.com>: > Hello, > > Starting on July 11, I=E2=80=99ve started to see an increasing number of = what > appear to be =E2=80=9CACK storms=E2=80=9D affecting a number of FreeBSD b= oxes I=E2=80=99m > administering. There are a few unsupported releases mixed in, but, this = is > also happening on boxes running 10.3-RELEASE-p3. > > In the cases we=E2=80=99re seeing, it begins with legitimate TCP traffic > requesting something over HTTP, but soon thereafter we get an out of wind= ow > packet and get in to a loop. If anybody is interested or especially if > they=E2=80=99ve experienced something similar, there are a few more detai= ls I could > share privately. > > Setting aside the cause, I=E2=80=99m interested in trying to mitigate the > problem. None of my Ubuntu boxes appear to be affected, I presume becaus= e > of these patches Google made to the kernel there: > > https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html < > https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html>; > > Is there any equivalent protection for FreeBSD? In my own research I=E2= =80=99ve > been unable to find anything. In fact, beyond the message above you can= =E2=80=99t > find very much about ACK storms at all. > > Right now we=E2=80=99re mitigating with custom code that is sniffing pack= ets and > adding temporary firewall rules whenever it sees a loop start, and that= =E2=80=99s > working well enough, but, I=E2=80=99d prefer to handle it at a lower leve= l if > possible. > > Thanks, > > Matt R. > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > "
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADyrUxOXMZ=kZ0KReTAKrLa15Q8zdB4TrNSKWSuwJbRvpoHbQA>