All of lore.kernel.org
 help / color / mirror / Atom feed
From: Willy Tarreau <w@1wt.eu>
To: Matt Corallo <netdev-list@mattcorallo.com>
Cc: Keyu Man <kman001@ucr.edu>, Eric Dumazet <edumazet@google.com>,
	David Ahern <dsahern@gmail.com>, Florian Westphal <fw@strlen.de>,
	davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org,
	Jakub Kicinski <kuba@kernel.org>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Zhiyun Qian <zhiyunq@cs.ucr.edu>
Subject: Re: PROBLEM: DoS Attack on Fragment Cache
Date: Sun, 18 Apr 2021 06:39:33 +0200	[thread overview]
Message-ID: <20210418043933.GB18896@1wt.eu> (raw)
In-Reply-To: <78d776a9-4299-ff4e-8ca2-096ec5c02d05@bluematt.me>

On Sat, Apr 17, 2021 at 10:26:30PM -0400, Matt Corallo wrote:
> Sure, there are better ways to handle the reassembly cache overflowing, but
> that is pretty unrelated to the fact that waiting 30 full seconds for a
> fragment to come in doesn't really make sense in today's networks (the 30
> second delay that is used today appears to even be higher than RFC 791
> suggested in 1981!).

Not exactly actually, because you forget the TTL here. With most hosts
sending an initial TTL around 64, after crossing 10-15 hops it's still
around 50 so that would result in ~50 seconds by default, even according
to the 40 years old RFC791. The 15s there was the absolute minimum. While
I do agree that we shouldn't keep them that long nowadays, we can't go
too low without risking to break some slow transmission stacks (SLIP/PPP
over modems for example). In addition even cutting that in 3 will remain
trivially DoSable.

> You get a lot more bang for your buck if you don't wait
> around so long (or we could restructure things to kick out the oldest
> fragments, but that is a lot more work, and probably extra indexes that just
> aren't worth it).

Kicking out oldest ones is a bad approach in a system made only of
independent elements, because it tends to result in a lot of damage once
all of them behave similarly. I.e. if you need to kick out an old entry
in valid traffic, it's because you do need to wait that long, and if all
datagrams need to wait that long, then new datagrams systematically
prevent the oldest one from being reassembled, and none gest reassembled.
With a random approach at least your success ratio converges towards 1/e
(i.e. 36%) which is better.

Willy

  reply	other threads:[~2021-04-18  4:41 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <02917697-4CE2-4BBE-BF47-31F58BC89025@hxcore.ol>
2021-04-16 23:09 ` PROBLEM: DoS Attack on Fragment Cache Keyu Man
2021-04-17  0:31 ` David Ahern
2021-04-17  4:44   ` Eric Dumazet
2021-04-17  7:27     ` Willy Tarreau
     [not found]       ` <CAMqUL6bkp2Dy3AMFZeNLjE1f-sAwnuBWpXH_FSYTSh8=Ac3RKg@mail.gmail.com>
2021-04-17  7:50         ` Willy Tarreau
2021-04-18  1:30           ` Matt Corallo
2021-04-18  1:38             ` Keyu Man
2021-04-18  2:26               ` Matt Corallo
2021-04-18  4:39                 ` Willy Tarreau [this message]
2021-04-18 14:31                   ` Matt Corallo
2021-04-19  9:43                     ` Eric Dumazet
2021-04-19 17:20                       ` Matt Corallo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210418043933.GB18896@1wt.eu \
    --to=w@1wt.eu \
    --cc=davem@davemloft.net \
    --cc=dsahern@gmail.com \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=kman001@ucr.edu \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev-list@mattcorallo.com \
    --cc=netdev@vger.kernel.org \
    --cc=yoshfuji@linux-ipv6.org \
    --cc=zhiyunq@cs.ucr.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.