[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 Jul 2021 18:06:21 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Willy Tarreau <w@....eu>
Cc: Eric Dumazet <eric.dumazet@...il.com>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
netdev <netdev@...r.kernel.org>,
Maciej Zenczykowski <maze@...gle.com>
Subject: Re: [PATCH net] ipv6: tcp: drop silly ICMPv6 packet too big messages
On Wed, Jul 7, 2021 at 5:59 PM Willy Tarreau <w@....eu> wrote:
>
> Hi Eric,
>
> On Wed, Jul 07, 2021 at 08:46:30AM -0700, Eric Dumazet wrote:
> > From: Eric Dumazet <edumazet@...gle.com>
> >
> > While TCP stack scales reasonably well, there is still one part that
> > can be used to DDOS it.
> >
> > IPv6 Packet too big messages have to lookup/insert a new route,
> > and if abused by attackers, can easily put hosts under high stress,
> > with many cpus contending on a spinlock while one is stuck in fib6_run_gc()
>
> Just thinking loud, wouldn't it make sense to support randomly dropping
> such packets on input (or even better rate-limit them) ? After all, if
> a host on the net feels like it will need to send one, it will surely
> need to send a few more until one is taken into account so it's not
> dramatic. And this could help significantly reduce their processing cost.
Not sure what you mean by random.
We probably want to process valid packets, if they ever reach us.
In our case, we could simply drop all ICMPv6 " packet too big"
messages, since we clamp TCP/IPv6 MSS to the bare minimum anyway.
Adding a generic check in TCP/ipv6 stack is cheaper than an iptables
rule (especially if this is the only rule that must be used)
Powered by blists - more mailing lists