lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5fffbce3-2722-97b9-c025-1ce3da5e5467@bluematt.me>
Date:   Mon, 19 Apr 2021 13:20:39 -0400
From:   Matt Corallo <netdev-list@...tcorallo.com>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     Willy Tarreau <w@....eu>, Keyu Man <kman001@....edu>,
        David Ahern <dsahern@...il.com>,
        Florian Westphal <fw@...len.de>,
        David Miller <davem@...emloft.net>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>,
        Jakub Kicinski <kuba@...nel.org>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Zhiyun Qian <zhiyunq@...ucr.edu>
Subject: Re: PROBLEM: DoS Attack on Fragment Cache

Note that there are two completely separate sysctls here - the timeout on fragments, and the amount of memory available 
for fragment reassembly. You have to multiply them together to reach the "Mbps of lost or deliberately-lost fragments 
before we start dropping all future fragments". See the calculation in the description of the patch I mentioned above 
for exact details, but turning the time down to 1s already gives you 32Mbps, and you can tune the memory usage 
separately (eg 128MB, really 256 between v4 and v6, would give you 1Gbps of "lost" fragments).

Its true, an attacker can use a lot of memory in that case, but 128MiB isn't actually something that rises to the level 
of "trivial for an attacker to use all the memory you allowed" or "cause OOM".

I only chimed in on this thread to note that this isn't just a theoretical attack concern, however - this is a 
real-world non-attack-scenario issue that's pretty trivial to hit. Just losing 1Mbps of traffic on a modern residential 
internet connection is pretty doable, make that flow mostly frags and suddenly your VPN drops out for 30 seconds at a 
time just because.

I agree with others here that actually solving the DoS issue isn't trivial, but making it less absurdly trivial to have 
30 second dropouts of your VPN connection would also be a nice change.

Matt

On 4/19/21 05:43, Eric Dumazet wrote:
> On Sun, Apr 18, 2021 at 4:31 PM Matt Corallo
> <netdev-list@...tcorallo.com> wrote:
>>
>> Should the default, though, be so low? If someone is still using a old modem they can crank up the sysctl, it does seem
>> like such things are pretty rare these days :). Its rather trivial to, without any kind of attack, hit 1Mbps of lost
>> fragments in today's networks, at which point all fragments are dropped. After all, I submitted the patch to "scratch my
>> own itch" :).
> 
> Again, even if you increase the values by 1000x, it is trivial for an
> attacker to use all the memory you allowed.
> 
> And allowing a significant portion of memory to be eaten like that
> might cause OOM on hosts where jobs are consuming all physical memory.
> 
> It is a sysctl, I changed things so that one could really reserve/use
> 16GB of memory if she/he is desperate about frags.
> 
>>
>> Matt
>>
>> On 4/18/21 00:39, Willy Tarreau wrote:
>>> I do agree that we shouldn't keep them that long nowadays, we can't go
>>> too low without risking to break some slow transmission stacks (SLIP/PPP
>>> over modems for example).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ