cvs commit: src/sys/netinet ip_icmp.c tcp.h tcp_input.c tcp_subr.c tcp_usrreq.c tcp_var.h

Andre Oppermann andre at FreeBSD.org
Thu Jan 8 09:40:25 PST 2004


andre       2004/01/08 09:40:07 PST

  FreeBSD src repository

  Modified files:
    sys/netinet          ip_icmp.c tcp.h tcp_input.c tcp_subr.c 
                         tcp_usrreq.c tcp_var.h 
  Log:
  Limiters and sanity checks for TCP MSS (maximum segement size)
  resource exhaustion attacks.
  
  For network link optimization TCP can adjust its MSS and thus
  packet size according to the observed path MTU.  This is done
  dynamically based on feedback from the remote host and network
  components along the packet path.  This information can be
  abused to pretend an extremely low path MTU.
  
  The resource exhaustion works in two ways:
  
   o during tcp connection setup the advertized local MSS is
     exchanged between the endpoints.  The remote endpoint can
     set this arbitrarily low (except for a minimum MTU of 64
     octets enforced in the BSD code).  When the local host is
     sending data it is forced to send many small IP packets
     instead of a large one.
  
     For example instead of the normal TCP payload size of 1448
     it forces TCP payload size of 12 (MTU 64) and thus we have
     a 120 times increase in workload and packets. On fast links
     this quickly saturates the local CPU and may also hit pps
     processing limites of network components along the path.
  
     This type of attack is particularly effective for servers
     where the attacker can download large files (WWW and FTP).
  
     We mitigate it by enforcing a minimum MTU settable by sysctl
     net.inet.tcp.minmss defaulting to 256 octets.
  
   o the local host is reveiving data on a TCP connection from
     the remote host.  The local host has no control over the
     packet size the remote host is sending.  The remote host
     may chose to do what is described in the first attack and
     send the data in packets with an TCP payload of at least
     one byte.  For each packet the tcp_input() function will
     be entered, the packet is processed and a sowakeup() is
     signalled to the connected process.
  
     For example an attack with 2 Mbit/s gives 4716 packets per
     second and the same amount of sowakeup()s to the process
     (and context switches).
  
     This type of attack is particularly effective for servers
     where the attacker can upload large amounts of data.
     Normally this is the case with WWW server where large POSTs
     can be made.
  
     We mitigate this by calculating the average MSS payload per
     second.  If it goes below 'net.inet.tcp.minmss' and the pps
     rate is above 'net.inet.tcp.minmssoverload' defaulting to
     1000 this particular TCP connection is resetted and dropped.
  
  MITRE CVE:      CAN-2004-0002
  Reviewed by:    sam (mentor)
  MFC after:      1 day
  
  Revision  Changes    Path
  1.87      +4 -2      src/sys/netinet/ip_icmp.c
  1.19      +19 -1     src/sys/netinet/tcp.h
  1.219     +60 -0     src/sys/netinet/tcp_input.c
  1.174     +24 -0     src/sys/netinet/tcp_subr.c
  1.91      +2 -1      src/sys/netinet/tcp_usrreq.c
  1.94      +7 -0      src/sys/netinet/tcp_var.h


More information about the cvs-src mailing list