ACK Storm protection?
Matt Riffle
matt at pair.com
Fri Jul 21 19:04:32 UTC 2017
Hello,
Starting on July 11, I’ve started to see an increasing number of what appear to be “ACK storms” affecting a number of FreeBSD boxes I’m administering. There are a few unsupported releases mixed in, but, this is also happening on boxes running 10.3-RELEASE-p3.
In the cases we’re seeing, it begins with legitimate TCP traffic requesting something over HTTP, but soon thereafter we get an out of window packet and get in to a loop. If anybody is interested or especially if they’ve experienced something similar, there are a few more details I could share privately.
Setting aside the cause, I’m interested in trying to mitigate the problem. None of my Ubuntu boxes appear to be affected, I presume because of these patches Google made to the kernel there:
https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html <https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html>
Is there any equivalent protection for FreeBSD? In my own research I’ve been unable to find anything. In fact, beyond the message above you can’t find very much about ACK storms at all.
Right now we’re mitigating with custom code that is sniffing packets and adding temporary firewall rules whenever it sees a loop start, and that’s working well enough, but, I’d prefer to handle it at a lower level if possible.
Thanks,
Matt R.
More information about the freebsd-security
mailing list