| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 May 2012 18:14:29 +0200 From: Christoph Paasch <christoph.paasch@...ouvain.be> To: Jesper Dangaard Brouer <brouer@...hat.com> CC: netdev@...r.kernel.org, Eric Dumazet <eric.dumazet@...il.com>, "David S. Miller" <davem@...emloft.net>, Martin Topholm <mph@...h.dk>, Florian Westphal <fw@...len.de>, opurdila@...acom.com, Hans Schillstrom <hans.schillstrom@...csson.com> Subject: Re: [RFC PATCH 0/2] Faster/parallel SYN handling to mitigate SYN floods Hello, On 05/28/2012 01:52 PM, Jesper Dangaard Brouer wrote: > The following series is a RFC (Request For Comments) for implementing > a faster and parallel handling of TCP SYN connections, to mitigate SYN > flood attacks. This is against DaveM's net (f0d1b3c2bc), as net-next > is closed, as DaveM has mentioned numerous times ;-) > > Only IPv4 TCP is handled here. The IPv6 TCP code also need to be > updated, but I'll deal with that part after we have agreed on a > solution for IPv4 TCP. > > Patch 1/2: Is a cleanup, where I split out the SYN cookie handling > from tcp_v4_conn_request() into tcp_v4_syn_conn_limit(). > > Patch 2/2: Move tcp_v4_syn_conn_limit() outside bh_lock_sock() in > tcp_v4_rcv(). I would like some input on, (1) if this safe without > the lock, (2) if we need to do some sock lookup, before calling > tcp_v4_syn_conn_limit() (Christoph Paasch > <christoph.paasch@...ouvain.be> mentioned something about SYN > retransmissions) Concerning (1): I think, there are places where you may have troube because you don't hold the lock. E.g., in tcp_make_synack (called by tcp_v4_send_synack from your tcp_v4_syn_conn_limit) there is: if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && (req->window_clamp > tcp_full_space(sk) || req->window_clamp == 0)) req->window_clamp = tcp_full_space(sk); Thus, tcp_full_space(sk) may have different values between the check and setting req->window_clamp. Concerning (2): Imagine, a SYN coming in, when the reqsk-queue is not yet full. A request-sock will be added to the reqsk-queue. Then, a retransmission of this SYN comes in and the queue got full by the time. This time tcp_v4_syn_conn_limit will do syn-cookies and thus generate a different seq-number for the SYN/ACK. But I don't see how you could fix these issues in your proposed framework. Cheers, Christoph > > --- > > Jesper Dangaard Brouer (2): > tcp: Early SYN limit and SYN cookie handling to mitigate SYN floods > tcp: extract syncookie part of tcp_v4_conn_request() > > > net/ipv4/tcp_ipv4.c | 131 ++++++++++++++++++++++++++++++++++++++++++--------- > 1 files changed, 107 insertions(+), 24 deletions(-) > > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Christoph Paasch PhD Student IP Networking Lab --- http://inl.info.ucl.ac.be MultiPath TCP in the Linux Kernel --- http://mptcp.info.ucl.ac.be Université Catholique de Louvain -- -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists