freebsd-net@ added. After google "ack storm freebsd" I find a very old SA: https://www.freebsd.org/security/advisories/FreeBSD-SA-98%3A07.rst.asc mentions:
+ * In the SYN-RECEIVED state, don't send an ACK unless the + * segment we received passes the SYN-RECEIVED ACK test. > + * If it fails send a RST. This breaks the loop in the > + * "LAND" DoS attack, and also prevents an ACK storm > + * between two listening ports that have been sent forged > + * SYN segments, each with the source address of the other. > + */ > + if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && > + (SEQ_GT(tp->snd_una, ti->ti_ack) || > + SEQ_GT(ti->ti_ack, tp->snd_max)) ) > + goto dropwithreset; Not sure in the established state there also has ACK storm protection. 2017-07-22 2:57 GMT+08:00 Matt Riffle <m...@pair.com>: > Hello, > > Starting on July 11, I’ve started to see an increasing number of what > appear to be “ACK storms” affecting a number of FreeBSD boxes I’m > administering. There are a few unsupported releases mixed in, but, this is > also happening on boxes running 10.3-RELEASE-p3. > > In the cases we’re seeing, it begins with legitimate TCP traffic > requesting something over HTTP, but soon thereafter we get an out of window > packet and get in to a loop. If anybody is interested or especially if > they’ve experienced something similar, there are a few more details I could > share privately. > > Setting aside the cause, I’m interested in trying to mitigate the > problem. None of my Ubuntu boxes appear to be affected, I presume because > of these patches Google made to the kernel there: > > https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html < > https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html> > > Is there any equivalent protection for FreeBSD? In my own research I’ve > been unable to find anything. In fact, beyond the message above you can’t > find very much about ACK storms at all. > > Right now we’re mitigating with custom code that is sniffing packets and > adding temporary firewall rules whenever it sees a loop start, and that’s > working well enough, but, I’d prefer to handle it at a lower level if > possible. > > Thanks, > > Matt R. > > > > > _______________________________________________ > freebsd-secur...@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org > " _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
