From nobody Mon May 06 07:27:31 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VXtLX17WTz5JWSV; Mon, 06 May 2024 07:28:36 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VXtLW4tYcz4mMn; Mon, 6 May 2024 07:28:35 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1714980499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZJzFhsNK4+FZVspsUg/USQRWdXrdq+PCEQi1/Kj/NYs=; b=ZLNibk/u/lfKtb0c460hbq6qluRHDoJO7OHLaW7gX1BjxGNdeGXzPww3ptCDjPlx3ZOH62 o8PwzOSHlJB0kcvM5s0nJaoMJdLeNyv25wmkVp7rng5Cd/6hAP3ywjA+9wsF2PocBgqALG ildHwJBS7E2+AAQ90ZIWEEzmRtv79bZsk9O3vd7aPm9PA8plsdiaU6BR4Kd1NBFf8eetzp XAii6Usj2qPTVRB6//cSscnp1v/0FCXQ8/FjJZ4vSsAcpULMc5luGCPvSqcsxWY4SR+5B6 pZRgFlirWnnQ3NA1B3NwyTBfihdm7jY595fBCWVozQ29Utve4VuopLpWp5cDWQ== Date: Mon, 06 May 2024 09:27:31 +0200 From: Alexander Leidinger To: Randall Stewart Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: fce03f85c5bf - main - TCP can be subject to Sack Attacks lets fix this issue. In-Reply-To: <202405051310.445DAMEO069675@gitrepo.freebsd.org> References: <202405051310.445DAMEO069675@gitrepo.freebsd.org> Message-ID: <97c2eddd682d7347b0d26c0f042401bb@Leidinger.net> Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_ac10579ddc816563745799399c6fecbf"; micalg=pgp-sha256 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE] X-Rspamd-Queue-Id: 4VXtLW4tYcz4mMn This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_ac10579ddc816563745799399c6fecbf Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2024-05-05 15:10, schrieb Randall Stewart: > The branch main has been updated by rrs: > > URL: > https://cgit.FreeBSD.org/src/commit/?id=fce03f85c5bfc0d73fb5c43ac1affad73efab11a > > commit fce03f85c5bfc0d73fb5c43ac1affad73efab11a > Author: Randall Stewart > AuthorDate: 2024-05-05 13:08:47 +0000 > Commit: Randall Stewart > CommitDate: 2024-05-05 13:08:47 +0000 > > TCP can be subject to Sack Attacks lets fix this issue. > > There is a type of attack that a TCP peer can launch on a > connection. This is for sure in Rack or BBR and probably even the > default stack if it uses lists in sack processing. The idea of the > attack is that the attacker is driving you to look at 100's of sack > blocks that only update 1 byte. So for example if you have 1 - 10,000 > bytes outstanding the attacker sends in something like: > > ACK 0 SACK(1-512) SACK(1024 - 1536), SACK(2048-2536), SACK(4096 - > 4608), SACK(8192-8704) > This first sack looks fine but then the attacker sends > > ACK 0 SACK(1-512) SACK(1025 - 1537), SACK(2049-2537), SACK(4097 - > 4609), SACK(8193-8705) > ACK 0 SACK(1-512) SACK(1027 - 1539), SACK(2051-2539), SACK(4099 - > 4611), SACK(8195-8707) > ... > These blocks are making you hunt across your linked list and split > things up so that you have an entry for every other byte. Has your list > grows you spend more and more CPU running through the lists. The idea > here is the attacker chooses entries as far apart as possible that make > you run through the list. This example is small but in theory if the > window is open to say 1Meg you could end up with 100's of thousands > link list entries. Would it make sense to use a tree list (generic example: https://commons.apache.org/proper/commons-collections/apidocs/org/apache/commons/collections4/list/TreeList.html) instead of a linked list additional/independently to what you committed? > diff --git a/sys/netinet/tcp_stacks/sack_filter.c > b/sys/netinet/tcp_stacks/sack_filter.c > index e82fcee2ffac..fc9ee8454a1e 100644 > --- a/sys/netinet/tcp_stacks/sack_filter.c > +++ b/sys/netinet/tcp_stacks/sack_filter.c > #ifndef _KERNEL > + > +static u_int tcp_fixed_maxseg(const struct tcpcb *tp) > +{ > + /* Lets pretend their are timestamps on for user space */ > + return (tp->t_maxseg - 12); > +} Typo in the comment? Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_ac10579ddc816563745799399c6fecbf Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmY4hnEACgkQEg2wmwP4 2IZ4LQ//agGP6jJNatCBAVq+eYwkuSANG3Gjc1k0X+M5gYDyfLygwS32Nh+xNnmr lLgZi9zECoPjOY+iWQCaW5v0u62IZVk4JWA2kQ2yys+wAKx4RHZBvXcorrQx/PLa EBf87h14rfPFHHYHfOxrH9iE1Eu6ANdzqW490yKTSEaD6ELkROqkgjXAtD9LZra8 S1bvmrDHX4EZm2Ski9OI7D1eNMUd6u0Swr7eeJoqDIjLLL3b2lO4xM24mlIPVQf8 BQBZOjx2QJaQy2Xw6Rsaf+ze8hOXKe/HVFRU6y+utH6dtUjPIogHsIMzdhPsGdxz /FtGcZXr/dJpcCmo8vLW+3mK24SVEVcr/ByL6fw55E61g8dhL2ksL/rbgLRTpzP/ 0FPX0JhSkHjE+Vv2sL80JmyueJbmwwiyNMdFC6YeLIDatOJFjLWPIj6HNEC8n/x5 C+hu/Cxy3MYM1IVgeKh8X1iF/Y5cWQIFhyGi8ob/DKl8arszm13oZi7IxZxIwYOT Sv5Q2JDjU5p8GzDkpP6vijZhrfG2Mb65RzmzWf8L7zriPZ20XS2egDzALZLtDtti KIiywBY6TPw1OpGec2hiH5hHCC8dyW1n9It+avL+z2I+Ml2uv0eySy/Bi2HOMB5L XGRU7x0hgYDwFBVB/5RWQJE3c7YojCc5matpn2tXQOOMn3vqM3M= =S0f9 -----END PGP SIGNATURE----- --=_ac10579ddc816563745799399c6fecbf--