ICMP attacks against TCP and PMTUD
Nikolay Denev
ndenev at gmail.com
Fri Jan 20 08:32:25 UTC 2012
On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote:
> On 15.01.2012, at 21:35, Andrey Zonov <andrey at zonov.org> wrote:
>
>> This helped me:
>> /boot/loader.conf
>> net.inet.tcp.hostcache.hashsizee536
>> net.inet.tcp.hostcache.cachelimit�66080
>>
>> Actually, this is a workaround. As I remember, real problem is in
>> tcp_ctlinput(), it could not update MTU for destination IP if hostcache
>> allocation fails. tcp_hc_updatemtu() should returns NULL if
>> tcp_hc_insert() returns NULL and tcp_ctlinput() should check this case
>> and sets updated MTU for this particular connection if
>> tcp_hc_updatemtu() fails. Otherwise we've got infinite loop in MTU
>> discovery.
>>
>>
>> On 15.01.2012 22:59, Nikolay Denev wrote:
>>>
>>> % uptime
>>> 7:57PM up 608 days, 4:06, 1 user, load averages: 0.30, 0.21, 0.17
>>>
>>> % vmstat -z|grep hostcache
>>> hostcache: 136, 15372, 15136, 236, 44946965, 10972760
>>>
>>>
>>> Hmm… probably I should increase this….
>>>
>>
>> --
>> Andrey Zonov
>
> Thanks, I will test this asap!
>
> Regards,
> Nikolay
I've upgraded from 7.3-STABLE to 8.2-STABLE and bumped significantly the hostcache tunables.
So far so good, I'll report back if I see similar traffic spikes.
More information about the freebsd-net
mailing list