Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp1520451pxb;
        Sat, 17 Apr 2021 21:55:15 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxT1lL0KfJ7OP4PHdf0k6LXCZLb01OEs/fYr503h7AAaW+S8/zoZXWKPlG+syu9IlvkMkSG
X-Received: by 2002:a50:eb8f:: with SMTP id y15mr18738398edr.115.1618721715716;
        Sat, 17 Apr 2021 21:55:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618721715; cv=none;
        d=google.com; s=arc-20160816;
        b=XWrlyshgh6HUJzI+VqRqzjOtzZ2VTvW+kck/yadOdx18tjsAR+OJtkIItr6SpHj2NK
         qmIgdgeVtAX+lardZZiYGYKolzUU7E6tzrdiyJAWYkIgK0ja7SA8TzKLKLx8OiUDdj1h
         iA7uFlOOoLp9AB2opktDG622hwqXpt5Ck3LsB7b8++aSXkH8nyHLKZnFyCPuKMDoHmlN
         D0uS72F3J4Z6+oiul7mSWRCycXCu1tctsTrydKgyVF1289ZVoBjEUDdDQGjgDlMf1aDe
         Enu4KeBqs0fHQsC2fjNrUhEQvjwl81n7xnrM3UXu9UxPGwYo//B1bYzY/6hpEK99JVxT
         RqBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=7bYTI0TRaKlwSFfxsuylTH+z6fORxUTKidpBPmHDBeY=;
        b=GO0nzRlY9oYcfQuGaoOomrzkyYYKKjslPlvBdvJ8J4UscQ+bYoEHPwUmar+xURp5Yp
         nKQ9zUsczr8IWWQK9itEBdW5HoGxPk15haIUUf4jvQGvby/03vOwGKDWaxcGu/DCpyme
         3HTZY7/d+4Pe2c7Aomn6OBtOSuurReocj/gxLJvrIUL7JL98AXMViBEwgcDcAfLt7sYJ
         IWPGdE8xfwKx1Wgi+lNVmxio10hYzH3JfrV0WuT5S3YjrK/fhs0PFgmk6AK5KZ9mraQD
         0xsl30NF+o9fOQpsMBLLwwukhXu2VF6S+cyqQwbu4XO/P5ESOIyaSDhBlu/wdl6VDGcS
         dkBw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q6si4579272ejn.673.2021.04.17.21.54.31;
        Sat, 17 Apr 2021 21:55:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229984AbhDREka (ORCPT <rfc822;lishoy@gmail.com> + 99 others);
        Sun, 18 Apr 2021 00:40:30 -0400
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:51849 "EHLO 1wt.eu"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229671AbhDREka (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 18 Apr 2021 00:40:30 -0400
Received: (from willy@localhost)
        by pcw.home.local (8.15.2/8.15.2/Submit) id 13I4dXL6019049;
        Sun, 18 Apr 2021 06:39:33 +0200
Date:   Sun, 18 Apr 2021 06:39:33 +0200
From:   Willy Tarreau <w@1wt.eu>
To:     Matt Corallo <netdev-list@mattcorallo.com>
Cc:     Keyu Man <kman001@ucr.edu>, Eric Dumazet <edumazet@google.com>,
        David Ahern <dsahern@gmail.com>,
        Florian Westphal <fw@strlen.de>, davem@davemloft.net,
        yoshfuji@linux-ipv6.org, dsahern@kernel.org,
        Jakub Kicinski <kuba@kernel.org>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, Zhiyun Qian <zhiyunq@cs.ucr.edu>
Subject: Re: PROBLEM: DoS Attack on Fragment Cache
Message-ID: <20210418043933.GB18896@1wt.eu>
References: <02917697-4CE2-4BBE-BF47-31F58BC89025@hxcore.ol>
 <52098fa9-2feb-08ae-c24f-1e696076c3b9@gmail.com>
 <CANn89iL_V0WbeA-Zr29cLSp9pCsthkX9ze4W46gx=8-UeK2qMg@mail.gmail.com>
 <20210417072744.GB14109@1wt.eu>
 <CAMqUL6bkp2Dy3AMFZeNLjE1f-sAwnuBWpXH_FSYTSh8=Ac3RKg@mail.gmail.com>
 <20210417075030.GA14265@1wt.eu>
 <c6467c1c-54f5-8681-6e7d-aa1d9fc2ff32@bluematt.me>
 <CAMqUL6bAVE9p=XEnH4HdBmBfThaY3FDosqyr8yrQo6N_9+Jf3w@mail.gmail.com>
 <78d776a9-4299-ff4e-8ca2-096ec5c02d05@bluematt.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <78d776a9-4299-ff4e-8ca2-096ec5c02d05@bluematt.me>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Apr 17, 2021 at 10:26:30PM -0400, Matt Corallo wrote:
> Sure, there are better ways to handle the reassembly cache overflowing, but
> that is pretty unrelated to the fact that waiting 30 full seconds for a
> fragment to come in doesn't really make sense in today's networks (the 30
> second delay that is used today appears to even be higher than RFC 791
> suggested in 1981!).

Not exactly actually, because you forget the TTL here. With most hosts
sending an initial TTL around 64, after crossing 10-15 hops it's still
around 50 so that would result in ~50 seconds by default, even according
to the 40 years old RFC791. The 15s there was the absolute minimum. While
I do agree that we shouldn't keep them that long nowadays, we can't go
too low without risking to break some slow transmission stacks (SLIP/PPP
over modems for example). In addition even cutting that in 3 will remain
trivially DoSable.

> You get a lot more bang for your buck if you don't wait
> around so long (or we could restructure things to kick out the oldest
> fragments, but that is a lot more work, and probably extra indexes that just
> aren't worth it).

Kicking out oldest ones is a bad approach in a system made only of
independent elements, because it tends to result in a lot of damage once
all of them behave similarly. I.e. if you need to kick out an old entry
in valid traffic, it's because you do need to wait that long, and if all
datagrams need to wait that long, then new datagrams systematically
prevent the oldest one from being reassembled, and none gest reassembled.
With a random approach at least your success ratio converges towards 1/e
(i.e. 36%) which is better.

Willy