Re: ICMP attacks against TCP and PMTUD

Mon, 23 Jan 2012 07:01:24 -0800 

On Jan 20, 2012, at 10:32 AM, Nikolay Denev wrote:

> On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote:
> 
>> On 15.01.2012, at 21:35, Andrey Zonov <and...@zonov.org> wrote:
>> 
>>> This helped me:
>>> /boot/loader.conf
>>> net.inet.tcp.hostcache.hashsizee536
>>> net.inet.tcp.hostcache.cachelimit66080
>>> 
>>> Actually, this is a workaround.  As I remember, real problem is in
>>> tcp_ctlinput(), it could not update MTU for destination IP if hostcache
>>> allocation fails.  tcp_hc_updatemtu() should returns NULL if
>>> tcp_hc_insert() returns NULL and tcp_ctlinput() should check this case
>>> and sets updated MTU for this particular connection if
>>> tcp_hc_updatemtu() fails.  Otherwise we've got infinite loop in MTU
>>> discovery.
>>> 
>>> 
>>> On 15.01.2012 22:59, Nikolay Denev wrote:
>>>> 
>>>> % uptime
>>>> 7:57PM  up 608 days,  4:06, 1 user, load averages: 0.30, 0.21, 0.17
>>>> 
>>>> % vmstat -z|grep hostcache
>>>> hostcache:                136,    15372,    15136,      236, 44946965, 
>>>> 10972760
>>>> 
>>>> 
>>>> Hmm… probably I should increase this….
>>>> 
>>> 
>>> --
>>> Andrey Zonov
>> 
>> Thanks, I will test this asap!
>> 
>> Regards,
>> Nikolay
> 
> I've upgraded from 7.3-STABLE to 8.2-STABLE and bumped significantly the 
> hostcache tunables.
> So far so good, I'll report back if I see similar traffic spikes.
> 

Seems like I have been wrong about these traffic spikes being attacks, and
actually the problem seems to be the pmtu infinite loop Andrey described.
I'm now running 8.2-STABLE with hostcache significantly bumped and regularly
have more than 20K hostcache entries, which was more than the default limit of 
15K I was running with before.

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to