All of lore.kernel.org
 help / color / mirror / Atom feed
From: Willy Tarreau <w@1wt.eu>
To: netdev@vger.kernel.org
Cc: David Miller <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Moshe Kol <moshe.kol@mail.huji.ac.il>,
	Yossi Gilad <yossi.gilad@mail.huji.ac.il>,
	Amit Klein <aksecurity@gmail.com>,
	linux-kernel@vger.kernel.org, Willy Tarreau <w@1wt.eu>
Subject: [PATCH net 6/7] tcp: increase source port perturb table to 2^16
Date: Wed, 27 Apr 2022 08:52:32 +0200	[thread overview]
Message-ID: <20220427065233.2075-7-w@1wt.eu> (raw)
In-Reply-To: <20220427065233.2075-1-w@1wt.eu>

Moshe Kol, Amit Klein, and Yossi Gilad reported being able to accurately
identify a client by forcing it to emit only 40 times more connections
than there are entries in the table_perturb[] table. The previous two
improvements consisting in resalting the secret every 10s and adding
randomness to each port selection only slightly improved the situation,
and the current value of 2^8 was too small as it's not very difficult
to make a client emit 10k connections in less than 10 seconds.

Thus we're increasing the perturb table from 2^8 to 2^16 so that the the
same precision now requires 2.6M connections, which is more difficult in
this time frame and harder to hide as a background activity. The impact
is that the table now uses 256 kB instead of 1 kB, which could mostly
affect devices making frequent outgoing connections. However such
components usually target a small set of destinations (load balancers,
database clients, perf assessment tools), and in practice only a few
entries will be visited, like before.

A live test at 1 million connections per second showed no performance
difference from the previous value.

Reported-by: Moshe Kol <moshe.kol@mail.huji.ac.il>
Reported-by: Yossi Gilad <yossi.gilad@mail.huji.ac.il>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 net/ipv4/inet_hashtables.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index d746e5656baf..f30c50aaf8e2 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -726,11 +726,12 @@ EXPORT_SYMBOL_GPL(inet_unhash);
  * Note that we use 32bit integers (vs RFC 'short integers')
  * because 2^16 is not a multiple of num_ephemeral and this
  * property might be used by clever attacker.
- * RFC claims using TABLE_LENGTH=10 buckets gives an improvement,
- * we use 256 instead to really give more isolation and
- * privacy, this only consumes 1 KB of kernel memory.
+ * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
+ * attacks were since demonstrated, thus we use 65536 instead to really
+ * give more isolation and privacy, at the expense of 256kB of kernel
+ * memory.
  */
-#define INET_TABLE_PERTURB_SHIFT 8
+#define INET_TABLE_PERTURB_SHIFT 16
 #define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
 static u32 *table_perturb;
 
-- 
2.17.5


  parent reply	other threads:[~2022-04-27  6:55 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-27  6:52 [PATCH net 0/7] insufficient TCP source port randomness Willy Tarreau
2022-04-27  6:52 ` [PATCH net 1/7] secure_seq: return the full 64-bit of the siphash Willy Tarreau
2022-04-27  9:56   ` kernel test robot
2022-04-27 10:07     ` Willy Tarreau
2022-04-27 10:07       ` Willy Tarreau
2022-04-27 16:35       ` Willy Tarreau
2022-04-27 16:35         ` Willy Tarreau
2022-04-27 16:50         ` Eric Dumazet
2022-04-27 16:50           ` Eric Dumazet
2022-04-27 16:56           ` Willy Tarreau
2022-04-27 16:56             ` Willy Tarreau
2022-04-27 17:18   ` Jason A. Donenfeld
2022-04-27 20:19     ` Willy Tarreau
2022-04-28  1:59   ` kernel test robot
2022-04-27  6:52 ` [PATCH net 2/7] tcp: use different parts of the port_offset for index and offset Willy Tarreau
2022-04-27  6:52 ` [PATCH net 3/7] tcp: resalt the secret every 10 seconds Willy Tarreau
2022-04-27 15:56   ` Stephen Hemminger
2022-04-27 16:21     ` Willy Tarreau
2022-04-27  6:52 ` [PATCH net 4/7] tcp: add small random increments to the source port Willy Tarreau
2022-04-27  6:52 ` [PATCH net 5/7] tcp: dynamically allocate the perturb table used by source ports Willy Tarreau
2022-04-27  6:52 ` Willy Tarreau [this message]
2022-04-27  8:07   ` [PATCH net 6/7] tcp: increase source port perturb table to 2^16 David Laight
2022-04-27  8:19     ` Willy Tarreau
2022-04-27  6:52 ` [PATCH net 7/7] tcp: drop the hash_32() part from the index calculation Willy Tarreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220427065233.2075-7-w@1wt.eu \
    --to=w@1wt.eu \
    --cc=aksecurity@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=moshe.kol@mail.huji.ac.il \
    --cc=netdev@vger.kernel.org \
    --cc=yossi.gilad@mail.huji.ac.il \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.