Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp845321pxb; Fri, 16 Apr 2021 21:48:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNcHekLzyvcc55EJbLmJovvMWYkl9PPxGRij0HcXUmfYMVUfUmLOcXmPLyCfGIvtdNsppm X-Received: by 2002:a17:906:b754:: with SMTP id fx20mr11532217ejb.69.1618634887989; Fri, 16 Apr 2021 21:48:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618634887; cv=none; d=google.com; s=arc-20160816; b=yqZZ8m5dMQ2R7Xr0YUQ8Xldk3gTF+3pieJ+PqRIG4aF/V6MzmtKS/V1jw5ZHccNqPC N0sWjwhTIQqwBsVJqe5PyhMUEBkkgbmvoUCpA9tYYOK47VKcKACPCXyvPe5G6OI6N0Tj txRC3Cwj63Fm13ct/bVIz2nsmrtWR4xh6aUKaU3WBZvSZ9A6g1KWutAaRwtQxIjLijnn BhBFF1QKZ46hlCetTRaXErvEPaBqKuLqz1cVplYmdH1dWcIVpjaSz2E0OwycUkULgEgI sMBW8QRUe0ZW7yUPFE0W0QlXz1OFE6+yO7qSlmKdlUL7PlIRA4D7/0NhrACRKToOP/tN ajpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=UlzkXq0M+W1cpjaBF2fQqqPjR+95Za5NCaFJKXmKppg=; b=DhNgYcyxaq2cxAv8RxsOkOSmFDq3x69eUYgtm0zEbAAl2ZJi9oX8lLBGWqWBwjVqSO ZtHnUMWttZaXfO5e3Y/cq0nSLeEg1e5sEhyIQNK2J9CIi7zemWqPqAT9UPbCHDHdeJ34 UBkhrlqpqyNXfsLR6u/7DSAdznPNYb6lWoJ8G4G6faX1v72wrNGhmzvKPNp6IOEUYOxs hxKNIJe1TMaXcgmsG/L6c6PGuwm4k1gyQDUfGf/20wdpCsIg5Sxh6X3n2LEz85hdIcSh D9LxV1G/p4o40sRgDJ5/c/enBxe/zloqTad2fsWXzfI2tvCRvbLou1SFgQA7WUtIBGBE r7ug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=hK+Wgu+8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cz6si6551855edb.335.2021.04.16.21.47.45; Fri, 16 Apr 2021 21:48:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=hK+Wgu+8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229629AbhDQEpT (ORCPT + 99 others); Sat, 17 Apr 2021 00:45:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229547AbhDQEpS (ORCPT ); Sat, 17 Apr 2021 00:45:18 -0400 Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 218D9C061756 for ; Fri, 16 Apr 2021 21:44:53 -0700 (PDT) Received: by mail-yb1-xb2d.google.com with SMTP id k73so26124519ybf.3 for ; Fri, 16 Apr 2021 21:44:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UlzkXq0M+W1cpjaBF2fQqqPjR+95Za5NCaFJKXmKppg=; b=hK+Wgu+8IEvCbonKlxwvZkSoipVtAgcCO/pYJv2zHcLCCNPhYDVLbtEWjKHb1c+yhw lPqd5lDhiqlvuzBfBu0j5T/K9oK1zSRdK2z/4YwFuxioaphgZ1ulybfvcXxuqCUGqypZ YzVIrjvJrVx3b4oEy/rW3NGkzrf7NTVfMC9PcHK7bP5Wy2uyJquQap/s3k+KSZ4kFRgq 3OsDr28S7m/EJydr80SALoA0ib1weskcURLbI+Wmc1bXa6jLu/HQYmMVjw7AkBlrgKUg +tLSHylq4h1vnxZehk9QI5hglBS4bp2KVx6awhedV3iv6qQnRrd0PLIkRfmfulh+Evh5 5MmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UlzkXq0M+W1cpjaBF2fQqqPjR+95Za5NCaFJKXmKppg=; b=tIsyBQDaJqeiMRf4mYiWgWFPhyNxDiDBLhi0886Z0R5cZ+aEs9wIQCB2pu8L52IuQ+ 5eFP2zf9iJAnRSCDo5JR3oWnoy47hNSySEzrWOgdl+2mhBq543JbHiQ/hh0sK34k25Za B/a9oO3R7YEjc4eN66oC0N+8x8d7VVsOLD3BbiOympm1qILpPiOxIrUkXcHLXcOtRB7s 3fn3m7T9Dz0FrmD2jjUdxOJweCgHo47w8gE3J0XcdVTgfakNEXclcD0q10dTyaMqJiwA ep08BKsOUnzrCugw/CXsfJfo/E8KVDaLjaGFkwVaQdsN0rjr/uWy04NmZ0uDBmglZ0kO 8TPQ== X-Gm-Message-State: AOAM532RXheh5zEAL2Ryam8NV6XrcK/+kLkggn86sDBwYeIlWdIFNHQa 0olGGqwBoo7MJ0R62ZlM6YG4GMKBOawlchRBnw3llQ== X-Received: by 2002:a25:850b:: with SMTP id w11mr3477819ybk.518.1618634691937; Fri, 16 Apr 2021 21:44:51 -0700 (PDT) MIME-Version: 1.0 References: <02917697-4CE2-4BBE-BF47-31F58BC89025@hxcore.ol> <52098fa9-2feb-08ae-c24f-1e696076c3b9@gmail.com> In-Reply-To: <52098fa9-2feb-08ae-c24f-1e696076c3b9@gmail.com> From: Eric Dumazet Date: Sat, 17 Apr 2021 06:44:40 +0200 Message-ID: Subject: Re: PROBLEM: DoS Attack on Fragment Cache To: David Ahern , Florian Westphal Cc: Keyu Man , "davem@davemloft.net" , "yoshfuji@linux-ipv6.org" , "dsahern@kernel.org" , Jakub Kicinski , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Zhiyun Qian Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 17, 2021 at 2:31 AM David Ahern wrote: > > [ cc author of 648700f76b03b7e8149d13cc2bdb3355035258a9 ] I think this has been discussed already. There is no strategy that makes IP reassembly units immune to DDOS attacks. We added rb-tree and sysctls to let admins choose to use GB of RAM if they really care. > > On 4/16/21 3:58 PM, Keyu Man wrote: > > Hi, > > > > > > > > My name is Keyu Man. We are a group of researchers from University > > of California, Riverside. Zhiyun Qian is my advisor. We found the code > > in processing IPv4/IPv6 fragments will potentially lead to DoS Attacks. > > Specifically, after the latest kernel receives an IPv4 fragment, it will > > try to fit it into a queue by calling function > > > > > > > > struct inet_frag_queue *inet_frag_find(struct fqdir *fqdir, void > > *key) in net/ipv4/inet_fragment.c. > > > > > > > > However, this function will first check if the existing fragment > > memory exceeds the fqdir->high_thresh. If it exceeds, then drop the > > fragment regardless whether it belongs to a new queue or an existing queue. > > > > Chances are that an attacker can fill the cache with fragments that > > will never be assembled (i.e., only sends the first fragment with new > > IPIDs every time) to exceed the threshold so that all future incoming > > fragmented IPv4 traffic would be blocked and dropped. Since there is no > > GC mechanism, the victim host has to wait for 30s when the fragments are > > expired to continue receive incoming fragments normally. > > > > In practice, given the 4MB fragment cache, the attacker only needs > > to send 1766 fragments to exhaust the cache and DoS the victim for 30s, > > whose cost is pretty low. Besides, IPv6 would also be affected since the > > issue resides in inet part. > > > > This issue is introduced in commit > > 648700f76b03b7e8149d13cc2bdb3355035258a9 (inet: frags: use rhashtables > > for reassembly units) which removes fqdir->low_thresh, and GC worker as > > well. We would gently request to bring GC worker back to the kernel to > > prevent the DoS attacks. > > > > Looking forward to hear from you > > > > > > > > Thanks, > > > > Keyu Man > > >