Re: ICMP attacks against TCP and PMTUD

On Jan 23, 2012, at 11:17 PM, Andre Oppermann wrote: > On 23.01.2012 16:01, Nikolay Denev wrote: >> >> On Jan 20, 2012, at 10:32 AM, Nikolay Denev wrote: >> >>> On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote: >>> On 15.01.2012, at 21:35, Andrey Zonov wrote: > This helped me:

Re: ICMP attacks against TCP and PMTUD

On 23.01.2012 16:01, Nikolay Denev wrote: On Jan 20, 2012, at 10:32 AM, Nikolay Denev wrote: On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote: On 15.01.2012, at 21:35, Andrey Zonov wrote: This helped me: /boot/loader.conf net.inet.tcp.hostcache.hashsizee536 net.inet.tcp.hostcache.cachelim

Re: ICMP attacks against TCP and PMTUD

On Jan 20, 2012, at 10:32 AM, Nikolay Denev wrote: > On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote: > >> On 15.01.2012, at 21:35, Andrey Zonov wrote: >> >>> This helped me: >>> /boot/loader.conf >>> net.inet.tcp.hostcache.hashsizee536 >>> net.inet.tcp.hostcache.cachelimit66080 >>> >>> Act

Re: ICMP attacks against TCP and PMTUD

On Jan 15, 2012, at 9:52 PM, Nikolay Denev wrote: > On 15.01.2012, at 21:35, Andrey Zonov wrote: > >> This helped me: >> /boot/loader.conf >> net.inet.tcp.hostcache.hashsizee536 >> net.inet.tcp.hostcache.cachelimit66080 >> >> Actually, this is a workaround. As I remember, real problem is in >

Re: ICMP attacks against TCP and PMTUD

On 15.01.2012, at 21:35, Andrey Zonov wrote: > This helped me: > /boot/loader.conf > net.inet.tcp.hostcache.hashsizee536 > net.inet.tcp.hostcache.cachelimit66080 > > Actually, this is a workaround. As I remember, real problem is in > tcp_ctlinput(), it could not update MTU for destination IP if

Re: ICMP attacks against TCP and PMTUD

This helped me: /boot/loader.conf net.inet.tcp.hostcache.hashsize=65536 net.inet.tcp.hostcache.cachelimit=1966080 Actually, this is a workaround. As I remember, real problem is in tcp_ctlinput(), it could not update MTU for destination IP if hostcache allocation fails. tcp_hc_updatemtu() shou

Re: ICMP attacks against TCP and PMTUD

On Jan 15, 2012, at 8:27 PM, Andrey Zonov wrote: > Hi, > > Could you please show the output of `vmstat -z | grep hostcache'? > > On 12.01.2012 21:55, Nikolay Denev wrote: >> Hello, >> >> A web server that I administer running Nginx and FreeBSD-7.3-STABLE was >> recently >> under a ICMP attack

Re: ICMP attacks against TCP and PMTUD

Hi, Could you please show the output of `vmstat -z | grep hostcache'? On 12.01.2012 21:55, Nikolay Denev wrote: Hello, A web server that I administer running Nginx and FreeBSD-7.3-STABLE was recently under a ICMP attack that generated a large amount of outgoing TCP traffic. With some tcpdump a

Re: ICMP attacks against TCP and PMTUD

Hello, Nikolay, On 01/13/2012 12:29 PM, Nikolay Denev wrote: > I'm now looking again at the pcap and I'm a bit confused. > First the possible attacker sends the ICMP need-frag packets with "MTU of > next hop" set to zero, > which in 2012 shouldn't be very common? Not just uncommon, but actually

Re: ICMP attacks against TCP and PMTUD

On Jan 13, 2012, at 11:47 AM, Andre Oppermann wrote: > On 12.01.2012 18:55, Nikolay Denev wrote: >> Hello, >> >> A web server that I administer running Nginx and FreeBSD-7.3-STABLE was >> recently >> under a ICMP attack that generated a large amount of outgoing TCP traffic. >> With some tcpdump

Re: ICMP attacks against TCP and PMTUD

On 12.01.2012 18:55, Nikolay Denev wrote: Hello, A web server that I administer running Nginx and FreeBSD-7.3-STABLE was recently under a ICMP attack that generated a large amount of outgoing TCP traffic. With some tcpdump and netflow analysis it was evident that the attachers are using ICMP ho

ICMP attacks against TCP and PMTUD

Hello, A web server that I administer running Nginx and FreeBSD-7.3-STABLE was recently under a ICMP attack that generated a large amount of outgoing TCP traffic. With some tcpdump and netflow analysis it was evident that the attachers are using ICMP host-unreach need-frag messages to make the we