On Jan 15, 2012, at 8:27 PM, Andrey Zonov wrote: > Hi, > > Could you please show the output of `vmstat -z | grep hostcache'? > > On 12.01.2012 21:55, Nikolay Denev wrote: >> Hello, >> >> A web server that I administer running Nginx and FreeBSD-7.3-STABLE was >> recently >> under a ICMP attack that generated a large amount of outgoing TCP traffic. >> With some tcpdump and netflow analysis it was evident that the attachers are >> using >> ICMP host-unreach need-frag messages to make the web server >> retransmit multiple times, giving a amplification factor of about 1.6. >> Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and >> specifically section 7.2 >> which discusses countermeasures against such attacks. The text reads : >> >> This section describes a modification to the PMTUD mechanism >> specified in [RFC1191] and [RFC1981] that has been incorporated in >> OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the >> blind performance-degrading attack described in Section 7.1. The >> described counter-measure basically disregards ICMP messages when a >> connection makes progress, without violating any of the requirements >> stated in [RFC1191] and [RFC1981]. >> >> The RFC is recent (dated from July 2010), and it mentions several times >> Linux, Free,Open and NetBSD, >> but exactly in this paragraph it is mentioning only Net and OpenBSD's, thus >> I'm asking if >> anyone has idea if these modifications were being put into FreeBSD? >> >> I quickly glanced upon the source, but the TCP code is a bit too much for me >> :) >> >> Also if anybody has observed similar attack, how are you protecting yourself >> from it? >> Simply blocking host-unreach need-frag would break PMTUD. >> >> P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm also >> curious if 8.2 will behave differently. >> >> Regards, >> Nikolay >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > > -- > Andrey Zonov
% uptime 7:57PM up 608 days, 4:06, 1 user, load averages: 0.30, 0.21, 0.17 % vmstat -z|grep hostcache hostcache: 136, 15372, 15136, 236, 44946965, 10972760 Hmm… probably I should increase this…. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
