ICMP attacks against TCP and PMTUD
Nikolay Denev
ndenev at gmail.com
Mon Jan 23 15:01:11 UTC 2012
On Jan 20, 2012, at 10:32 AM, Nikolay Denev wrote:
> On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote:
>
>> On 15.01.2012, at 21:35, Andrey Zonov <andrey at zonov.org> wrote:
>>
>>> This helped me:
>>> /boot/loader.conf
>>> net.inet.tcp.hostcache.hashsizee536
>>> net.inet.tcp.hostcache.cachelimit�66080
>>>
>>> Actually, this is a workaround. As I remember, real problem is in
>>> tcp_ctlinput(), it could not update MTU for destination IP if hostcache
>>> allocation fails. tcp_hc_updatemtu() should returns NULL if
>>> tcp_hc_insert() returns NULL and tcp_ctlinput() should check this case
>>> and sets updated MTU for this particular connection if
>>> tcp_hc_updatemtu() fails. Otherwise we've got infinite loop in MTU
>>> discovery.
>>>
>>>
>>> On 15.01.2012 22:59, Nikolay Denev wrote:
>>>>
>>>> % uptime
>>>> 7:57PM up 608 days, 4:06, 1 user, load averages: 0.30, 0.21, 0.17
>>>>
>>>> % vmstat -z|grep hostcache
>>>> hostcache: 136, 15372, 15136, 236, 44946965, 10972760
>>>>
>>>>
>>>> Hmm… probably I should increase this….
>>>>
>>>
>>> --
>>> Andrey Zonov
>>
>> Thanks, I will test this asap!
>>
>> Regards,
>> Nikolay
>
> I've upgraded from 7.3-STABLE to 8.2-STABLE and bumped significantly the hostcache tunables.
> So far so good, I'll report back if I see similar traffic spikes.
>
Seems like I have been wrong about these traffic spikes being attacks, and
actually the problem seems to be the pmtu infinite loop Andrey described.
I'm now running 8.2-STABLE with hostcache significantly bumped and regularly
have more than 20K hostcache entries, which was more than the default limit of 15K I was running with before.
More information about the freebsd-net
mailing list