From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Willy Tarreau <w@1wt.eu>, Moshe Kol <moshe.kol@mail.huji.ac.il>,
Yossi Gilad <yossi.gilad@mail.huji.ac.il>,
Amit Klein <aksecurity@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.17 18/21] tcp: increase source port perturb table to 2^16
Date: Tue, 10 May 2022 11:43:37 -0400 [thread overview]
Message-ID: <20220510154340.153400-18-sashal@kernel.org> (raw)
In-Reply-To: <20220510154340.153400-1-sashal@kernel.org>
From: Willy Tarreau <w@1wt.eu>
[ Upstream commit 4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5 ]
Moshe Kol, Amit Klein, and Yossi Gilad reported being able to accurately
identify a client by forcing it to emit only 40 times more connections
than there are entries in the table_perturb[] table. The previous two
improvements consisting in resalting the secret every 10s and adding
randomness to each port selection only slightly improved the situation,
and the current value of 2^8 was too small as it's not very difficult
to make a client emit 10k connections in less than 10 seconds.
Thus we're increasing the perturb table from 2^8 to 2^16 so that the
same precision now requires 2.6M connections, which is more difficult in
this time frame and harder to hide as a background activity. The impact
is that the table now uses 256 kB instead of 1 kB, which could mostly
affect devices making frequent outgoing connections. However such
components usually target a small set of destinations (load balancers,
database clients, perf assessment tools), and in practice only a few
entries will be visited, like before.
A live test at 1 million connections per second showed no performance
difference from the previous value.
Reported-by: Moshe Kol <moshe.kol@mail.huji.ac.il>
Reported-by: Yossi Gilad <yossi.gilad@mail.huji.ac.il>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_hashtables.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 48ca07853068..cc5f66328b47 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -726,11 +726,12 @@ EXPORT_SYMBOL_GPL(inet_unhash);
* Note that we use 32bit integers (vs RFC 'short integers')
* because 2^16 is not a multiple of num_ephemeral and this
* property might be used by clever attacker.
- * RFC claims using TABLE_LENGTH=10 buckets gives an improvement,
- * we use 256 instead to really give more isolation and
- * privacy, this only consumes 1 KB of kernel memory.
+ * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
+ * attacks were since demonstrated, thus we use 65536 instead to really
+ * give more isolation and privacy, at the expense of 256kB of kernel
+ * memory.
*/
-#define INET_TABLE_PERTURB_SHIFT 8
+#define INET_TABLE_PERTURB_SHIFT 16
#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
static u32 *table_perturb;
--
2.35.1
next prev parent reply other threads:[~2022-05-10 15:45 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-10 15:43 [PATCH AUTOSEL 5.17 01/21] hwmon: (asus_wmi_sensors) Fix CROSSHAIR VI HERO name Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 02/21] hwmon: (f71882fg) Fix negative temperature Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 03/21] RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 04/21] iommu: arm-smmu: disable large page mappings for Nvidia arm-smmu Sasha Levin
2022-05-10 15:43 ` Sasha Levin
2022-05-10 15:43 ` Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 05/21] ASoC: max98090: Reject invalid values in custom control put() Sasha Levin
2022-05-10 15:43 ` Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 06/21] ASoC: max98090: Generate notifications on changes for custom control Sasha Levin
2022-05-10 15:43 ` Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 07/21] ASoC: ops: Validate input values in snd_soc_put_volsw_range() Sasha Levin
2022-05-10 15:43 ` Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 08/21] s390: disable -Warray-bounds Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 09/21] ASoC: SOF: Fix NULL pointer exception in sof_pci_probe callback Sasha Levin
2022-05-10 15:43 ` Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 10/21] io_uring: assign non-fixed early for async work Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 11/21] net: emaclite: Don't advertise 1000BASE-T and do auto negotiation Sasha Levin
2022-05-10 15:43 ` Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 12/21] net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 13/21] secure_seq: use the 64 bits of the siphash for port offset calculation Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 14/21] tcp: use different parts of the port_offset for index and offset Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 15/21] tcp: resalt the secret every 10 seconds Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 16/21] tcp: add small random increments to the source port Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 17/21] tcp: dynamically allocate the perturb table used by source ports Sasha Levin
2022-05-10 15:43 ` Sasha Levin [this message]
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 19/21] tcp: drop the hash_32() part from the index calculation Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 20/21] block: Do not call folio_next() on an unreferenced folio Sasha Levin
2022-05-10 17:29 ` Matthew Wilcox
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 21/21] Revert "parisc: Fix patch code locking and flushing" Sasha Levin
2022-05-10 15:49 ` Helge Deller
2022-05-14 16:24 ` Sasha Levin
2022-05-14 16:47 ` John David Anglin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220510154340.153400-18-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aksecurity@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=moshe.kol@mail.huji.ac.il \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
--cc=yoshfuji@linux-ipv6.org \
--cc=yossi.gilad@mail.huji.ac.il \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.