Date: Tue, 24 Sep 2002 09:34:03 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Eric Anderson <anderson@centtech.com> Cc: freebsd-chat@freebsd.org Subject: Re: FreeBSD NFS server using two NICs Message-ID: <3D9093FB.36A193FE@mindspring.com> References: <3D8A3E52.2090202@centtech.com> <3D8A428B.B96FBE75@mindspring.com> <3D8A458B.2080608@centtech.com> <3D8A4B40.67C8E2A2@mindspring.com> <3D8F66AB.8020309@centtech.com> <3D8F8401.E77A5DA9@mindspring.com> <3D9061C9.5050409@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric Anderson wrote: > > Make it all fit in one packet. I don't know what options, etc., > > you are using. I would suggest 1K (1024), so that it will fit > > in a single packet, even with some extra options set. > > > > 1500 is the standard MTU... if it looks small to you, you must > > have some really whacked-out hardware... and it must violate the > > ethernet standards. 8-). > > I meant the read/write size seems small to be set at 1500 or 1k. That > would significantly reduce performance, correct? Right now it's not working. Whatever you do, will not "reduce performance" from that. The answer is: if you want a data window larger than the MTU, use a transport protocol that supports data windows, instead of trying to abuse the packet reassembly buffer as a fixed window, rather than a sliding window. > > Feel free to switch to an 8K (8192) or large read/write size, > > *IF you use TCP instead of UDP*. > > I think you are on to something here - I and using TCP only, and it's > working fine using both interfaces. UDP strikes again! damn.. 8-). Good. Technically, FreeBSD has a DOS vulnerability here, in the UDP large packet reassembly case, but technically, people are not supposed to use large UDP packets in the first place, and very few services export UDP onto the live Internet. I imagine that if one wanted to exploit this, they could use very large UDP DNS "requests", which never get out of the packet reassembly buffer, e.g. send 63 out of 64 packets, and never send the first one. The funny part, though, is that DNS over UDP goes to TCP if the packet size goes over what would fit in a single UDP packet, so legitimate requests never use the packet reassembly buffer. The upshot is that this "DOS attack" would only result in the limit of the memory for the packet reassembly queue being consumed, and no legitimate traffic failing (since it would go right through without being enqueued for reassembly). So I guess the only system that would be vulnerable to this would be one that exported two UDP services, one which habitually abused large UDP packets to fake a window -- basically, Linux NFS. 8-). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D9093FB.36A193FE>