From owner-freebsd-net@FreeBSD.ORG Fri Jan 13 09:47:59 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 107EA106566B for ; Fri, 13 Jan 2012 09:47:59 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 4B6118FC15 for ; Fri, 13 Jan 2012 09:47:57 +0000 (UTC) Received: (qmail 50046 invoked from network); 13 Jan 2012 08:11:48 -0000 Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 13 Jan 2012 08:11:48 -0000 Message-ID: <4F0FFDC9.1090503@freebsd.org> Date: Fri, 13 Jan 2012 10:47:53 +0100 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Nikolay Denev References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ICMP attacks against TCP and PMTUD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2012 09:47:59 -0000 On 12.01.2012 18:55, Nikolay Denev wrote: > Hello, > > A web server that I administer running Nginx and FreeBSD-7.3-STABLE was recently > under a ICMP attack that generated a large amount of outgoing TCP traffic. > With some tcpdump and netflow analysis it was evident that the attachers are using > ICMP host-unreach need-frag messages to make the web server > retransmit multiple times, giving a amplification factor of about 1.6. > Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and specifically section 7.2 > which discusses countermeasures against such attacks. The text reads : > > This section describes a modification to the PMTUD mechanism > specified in [RFC1191] and [RFC1981] that has been incorporated in > OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the > blind performance-degrading attack described in Section 7.1. The > described counter-measure basically disregards ICMP messages when a > connection makes progress, without violating any of the requirements > stated in [RFC1191] and [RFC1981]. > > The RFC is recent (dated from July 2010), and it mentions several times Linux, Free,Open and NetBSD, > but exactly in this paragraph it is mentioning only Net and OpenBSD's, thus I'm asking if > anyone has idea if these modifications were being put into FreeBSD? We haven't implemented this (yet). > I quickly glanced upon the source, but the TCP code is a bit too much for me :) > > Also if anybody has observed similar attack, how are you protecting yourself from it? > Simply blocking host-unreach need-frag would break PMTUD. We have a sysctl called "net.inet.tcp.minmss" which lower-bounds the MSS we accept in SYN and ICMP need frag messages. It defaults to 216 as 256 is the smallest allowable MTU in the Internet. The only known user of MTU 256 is packet radio which isn't exactly much used on the common Internet. You should be able to safely increase this value to 536. If you are willing to live with a little bit of fall-out then 1220 is a good value as well. > P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm also curious if 8.2 will behave differently. No. -- Andre