[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5fffbce3-2722-97b9-c025-1ce3da5e5467@bluematt.me>
Date: Mon, 19 Apr 2021 13:20:39 -0400
From: Matt Corallo <netdev-list@...tcorallo.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: Willy Tarreau <w@....eu>, Keyu Man <kman001@....edu>,
David Ahern <dsahern@...il.com>,
Florian Westphal <fw@...len.de>,
David Miller <davem@...emloft.net>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
David Ahern <dsahern@...nel.org>,
Jakub Kicinski <kuba@...nel.org>,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Zhiyun Qian <zhiyunq@...ucr.edu>
Subject: Re: PROBLEM: DoS Attack on Fragment Cache
Note that there are two completely separate sysctls here - the timeout on fragments, and the amount of memory available
for fragment reassembly. You have to multiply them together to reach the "Mbps of lost or deliberately-lost fragments
before we start dropping all future fragments". See the calculation in the description of the patch I mentioned above
for exact details, but turning the time down to 1s already gives you 32Mbps, and you can tune the memory usage
separately (eg 128MB, really 256 between v4 and v6, would give you 1Gbps of "lost" fragments).
Its true, an attacker can use a lot of memory in that case, but 128MiB isn't actually something that rises to the level
of "trivial for an attacker to use all the memory you allowed" or "cause OOM".
I only chimed in on this thread to note that this isn't just a theoretical attack concern, however - this is a
real-world non-attack-scenario issue that's pretty trivial to hit. Just losing 1Mbps of traffic on a modern residential
internet connection is pretty doable, make that flow mostly frags and suddenly your VPN drops out for 30 seconds at a
time just because.
I agree with others here that actually solving the DoS issue isn't trivial, but making it less absurdly trivial to have
30 second dropouts of your VPN connection would also be a nice change.
Matt
On 4/19/21 05:43, Eric Dumazet wrote:
> On Sun, Apr 18, 2021 at 4:31 PM Matt Corallo
> <netdev-list@...tcorallo.com> wrote:
>>
>> Should the default, though, be so low? If someone is still using a old modem they can crank up the sysctl, it does seem
>> like such things are pretty rare these days :). Its rather trivial to, without any kind of attack, hit 1Mbps of lost
>> fragments in today's networks, at which point all fragments are dropped. After all, I submitted the patch to "scratch my
>> own itch" :).
>
> Again, even if you increase the values by 1000x, it is trivial for an
> attacker to use all the memory you allowed.
>
> And allowing a significant portion of memory to be eaten like that
> might cause OOM on hosts where jobs are consuming all physical memory.
>
> It is a sysctl, I changed things so that one could really reserve/use
> 16GB of memory if she/he is desperate about frags.
>
>>
>> Matt
>>
>> On 4/18/21 00:39, Willy Tarreau wrote:
>>> I do agree that we shouldn't keep them that long nowadays, we can't go
>>> too low without risking to break some slow transmission stacks (SLIP/PPP
>>> over modems for example).
Powered by blists - more mailing lists