Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2650900pxb; Mon, 19 Apr 2021 10:25:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJya3dT3KGP7SH2dQ8AzjX7tsxGQVW35cblYbvv67JJMFUZucae96FMlXKSClwU4XnHSOnkv X-Received: by 2002:a17:90b:1190:: with SMTP id gk16mr144576pjb.57.1618853117413; Mon, 19 Apr 2021 10:25:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618853117; cv=none; d=google.com; s=arc-20160816; b=CYHgXpL/R6LOJryx7G4NGOfLejAYT+yfrVlN5ym1BUo6zxZFSPC6yuestKNZIMWSpF 8gwjToUOZ7ebrxuvC83k4xH4GDL0dvtSUWW4kz1JgDhOTRpbuqqEGND1I0zEmqW50jCy t2OE4t1CONMswLpkGUV/bk3RVNCrSLyI22+xt6V8iJh1jkKg53/8XF8OxLMcpvh5Ui/0 k6r0pmcZGGHpjBctDqoHf2ew9oOE8S9dJzGBz/RJR8KSVKStmT1+ELfgG9Ie91UjPY0Y 7x4JxqGr2UfnrqKTBYd8tqOKucysVjQvBpp3ie00coFkabaW0yFCtit4MUgk2VJnSMJ8 nX7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:mime-version:date :message-id:dkim-signature; bh=FiEKzC7B1dsbH70Gn8HR+nV/qxAaawx52H3Ir599Os0=; b=HakzATazB3bh3m/p3yODAaMPqWGRVxkJw5qeEsK/3ipQpBtgC2nSSnHd6jTWWhtA7e glcqN5NcC78j5yQsYgqPLaX8IS2KXZFb3rzlHTLKK077Y0jCJ8ZJGbDpkT5/VPflz58l kKqtSmVNXyr1xKpwNQMEcXbBll2j1ea6XphXVCrtsni0E8guLYw2THxuFgIOzWuPakcR 9ZTNG1CKEdQ/GK441FmlrHgFUqqZs4k5PyDnTmEgKtp7FE7F+XMwm491omIrg+39NIfX wujaRxEPASw3TcMR0tqmq+ZcN+2c4m8GvACpo1Hx4hkaYcpV4nlqc97a2DuWLdQrkvug rXRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1618851664 header.b=RZ27MFuh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n19si17917012pgv.400.2021.04.19.10.25.02; Mon, 19 Apr 2021 10:25:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1618851664 header.b=RZ27MFuh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239812AbhDSRVO (ORCPT + 99 others); Mon, 19 Apr 2021 13:21:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56280 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230063AbhDSRVN (ORCPT ); Mon, 19 Apr 2021 13:21:13 -0400 Received: from mail.as397444.net (mail.as397444.net [IPv6:2620:6e:a000:dead:beef:15:bad:f00d]) by lindbergh.monkeyblade.net (Postfix) with UTF8SMTPS id 4F695C06174A; Mon, 19 Apr 2021 10:20:43 -0700 (PDT) Received: by mail.as397444.net (Postfix) with UTF8SMTPSA id 9D6CA541F74; Mon, 19 Apr 2021 17:20:40 +0000 (UTC) X-DKIM-Note: Keys used to sign are likely public at https://as397444.net/dkim/ DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mattcorallo.com; s=1618851664; t=1618852841; bh=FiEKzC7B1dsbH70Gn8HR+nV/qxAaawx52H3Ir599Os0=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=RZ27MFuhsSTKFsjjBBKbde/EEN8bjbei5vdIdBWUtyWEBgwknOmq2Y4l2aNRCNa56 V3IEu2uWnVlBjEstH3PFfu+fmnvnQzK7iHe+OYF1Lgkk9k9H+Myt79s49fcop6h9ur 9SVV6hRc6J5MJxN7RbAABtf4c24mc/kENRw3UV4Nz8IBhRPQTRBJJ60Sb7JkqbQ/cL jSuvbCaZyzAFV9SWlmRXLNa+epoLX8sjo4P8fpBRzZK0fpWOfH1/cpbiwJJVYABL/1 ohTY8bRT1VkcX6Q3z6+7sG2yTkXIVhGhp7GqWl9bZnjrC8i6lbYYwlF10H3wOiAeoo LFtw4hlj6B2JQ== Message-ID: <5fffbce3-2722-97b9-c025-1ce3da5e5467@bluematt.me> Date: Mon, 19 Apr 2021 13:20:39 -0400 MIME-Version: 1.0 Subject: Re: PROBLEM: DoS Attack on Fragment Cache Content-Language: en-US To: Eric Dumazet Cc: Willy Tarreau , Keyu Man , David Ahern , Florian Westphal , David Miller , Hideaki YOSHIFUJI , David Ahern , Jakub Kicinski , netdev , LKML , Zhiyun Qian References: <02917697-4CE2-4BBE-BF47-31F58BC89025@hxcore.ol> <52098fa9-2feb-08ae-c24f-1e696076c3b9@gmail.com> <20210417072744.GB14109@1wt.eu> <20210417075030.GA14265@1wt.eu> <78d776a9-4299-ff4e-8ca2-096ec5c02d05@bluematt.me> <20210418043933.GB18896@1wt.eu> <9e2966be-d210-edf9-4f3c-5681f0d07c5f@bluematt.me> From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Note that there are two completely separate sysctls here - the timeout on fragments, and the amount of memory available for fragment reassembly. You have to multiply them together to reach the "Mbps of lost or deliberately-lost fragments before we start dropping all future fragments". See the calculation in the description of the patch I mentioned above for exact details, but turning the time down to 1s already gives you 32Mbps, and you can tune the memory usage separately (eg 128MB, really 256 between v4 and v6, would give you 1Gbps of "lost" fragments). Its true, an attacker can use a lot of memory in that case, but 128MiB isn't actually something that rises to the level of "trivial for an attacker to use all the memory you allowed" or "cause OOM". I only chimed in on this thread to note that this isn't just a theoretical attack concern, however - this is a real-world non-attack-scenario issue that's pretty trivial to hit. Just losing 1Mbps of traffic on a modern residential internet connection is pretty doable, make that flow mostly frags and suddenly your VPN drops out for 30 seconds at a time just because. I agree with others here that actually solving the DoS issue isn't trivial, but making it less absurdly trivial to have 30 second dropouts of your VPN connection would also be a nice change. Matt On 4/19/21 05:43, Eric Dumazet wrote: > On Sun, Apr 18, 2021 at 4:31 PM Matt Corallo > wrote: >> >> Should the default, though, be so low? If someone is still using a old modem they can crank up the sysctl, it does seem >> like such things are pretty rare these days :). Its rather trivial to, without any kind of attack, hit 1Mbps of lost >> fragments in today's networks, at which point all fragments are dropped. After all, I submitted the patch to "scratch my >> own itch" :). > > Again, even if you increase the values by 1000x, it is trivial for an > attacker to use all the memory you allowed. > > And allowing a significant portion of memory to be eaten like that > might cause OOM on hosts where jobs are consuming all physical memory. > > It is a sysctl, I changed things so that one could really reserve/use > 16GB of memory if she/he is desperate about frags. > >> >> Matt >> >> On 4/18/21 00:39, Willy Tarreau wrote: >>> I do agree that we shouldn't keep them that long nowadays, we can't go >>> too low without risking to break some slow transmission stacks (SLIP/PPP >>> over modems for example).