lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1331402182.2453.30.camel@edumazet-laptop>
Date:	Sat, 10 Mar 2012 09:56:22 -0800
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Simon Kirby <sim@...nation.com>
Cc:	"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: TCP syn flood handling regression

Le samedi 10 mars 2012 à 09:44 -0800, Eric Dumazet a écrit :
> Le samedi 10 mars 2012 à 04:27 -0800, Simon Kirby a écrit :
> > Hello!
> > 
> > A typical port 80 SYN flood started up to one of our clusters, but this
> > time, it didn't work so well. Legitimate connections and trying to fetch
> > server-status via localhost would hang for ~30 seconds before responding,
> > even though though the box had plenty of spare cycles. An strace of all
> > Apache processes showed quite a bit of sleeping in accept4().
> > 
> > This was with 3.2.9, so I went back in kernel builds and found that 3.1
> > and 3.0 were also broken, while 2.6.39 works as I remember -- when syn
> > cookies are enabled, everything just works and is fast. The DoS kept up,
> > so I was able to feed a bit to a node to do some bisection.
> > 
> > Of course, the DoS stopped literally seconds before the last bisection
> > test, but I got it down to:
> > 
> > # good: [0e734419923bd8e599858f8fc196c7804bb85564] ipv4: Use inet_csk_route_child_sock() in DCCP and TCP.
> > # bad: [ea4fc0d6193ff56fcef39b0d2210d402a7acb5f0] ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit().
> > 
> > ...leaving ea4fc0d6193ff56fcef39b0d2210d402a7acb5f0 and
> > d9d8da805dcb503ef8ee49918a94d49085060f23 as culprits.
> > 
> > I've stared at them but can't see what could be doing this.
> > 
> 
> Hi Simon, thanks a lot for this report.
> 
> This sounds as a SYNCOOKIE side effect
> 

It seems we miss a rebuild_header() indeed in the case of a syncookie
initiated socket.

So inet->cork.fl.u.ip4 is not correctly setup and
ea4fc0d6193ff56fcef39b0d2210d402a7acb5f relied on this.

I'll send a patch once tested.



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ