| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Apr 2021 19:49:14 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Matt Corallo <netdev-list@...tcorallo.com>
Cc: Willy Tarreau <w@....eu>, "David S. Miller" <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Keyu Man <kman001@....edu>
Subject: Re: [PATCH net-next] Reduce IP_FRAG_TIME fragment-reassembly timeout
to 1s, from 30s
On Fri, Apr 30, 2021 at 7:42 PM Matt Corallo
<netdev-list@...tcorallo.com> wrote:
>
>
>
> On 4/30/21 13:09, Eric Dumazet wrote:
> > On Fri, Apr 30, 2021 at 5:52 PM Matt Corallo
> > <netdev-list@...tcorallo.com> wrote:
> >>
> >> Following up - is there a way forward here?
> >>
> >
> > Tune the sysctls to meet your goals ?
> >
> > I did the needed work so that you can absolutely decide to use 256GB
> > of ram per host for frags if you want.
> > (Although I have not tested with crazy values like that, maybe some
> > kind of bottleneck will be hit)
>
> Again, this is not a solution universally because this issue appears when transiting a Linux router. This isn't only
> about end-hosts (or I wouldn't have even bothered with any of this). Sometimes packets flow over a Linux router that you
> don't have control over, which is true in my case.
>
> >> I think the current ease of hitting the black-hole-ing behavior is unacceptable (and often not something that can be
> >> changed even with the sysctl knobs due to intermediate hosts), and am happy to do some work to fix it.
> >>
> >> Someone mentioned in a previous thread randomly evicting fragments instead of dropping all new fragments when we reach
> >> saturation, which may be an option. We could also do something in between 1s and 30s, preserving behavior for hosts
> >> which see fragments delivered out-of-order by seconds while still reducing the ease of accidentally just black-holing
> >> all fragments entirely in more standard internet access deployments.
> >>
> >
> > Give me one implementation, I will give you a DDOS program to defeat it.
> > linux code is public, attackers will simply change their attacks.
> >
> > There is no generic solution, they are all bad.
> >
> > If you evict randomly, it will also fail. So why bother ?
>
> This was never about DDoS attacks - as noted several times this is about it being trivial to have all your fragments
> blackholed for 30 seconds at a time just because you have some normal run-of-the-mill packet loss.
Again, it will be trivial to have a use case where valid fragments are dropped.
Random can be considered as the worst strategy in some cases.
Queue management can tail drop, head drop, random drop, there is no
magical choice.
>
> I agree with you wholeheartedly that there isn't a solution to the DDoS attack issue, I'm not trying to address it. On
> the other hand, in the face of no attacks or otherwise malicious behavior, I'd expect Linux to not exhibit the complete
> blackholing of fragments that it does today.
Your expectations are unfortunately not something that linux can
satisfy _automatically_,
you have to tweak sysctls to tune _your_ workload.
Powered by blists - more mailing lists