mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-17 15:27:36 +00:00
Code Issues Releases Activity
53369ac9bb
freebsd/sys
History
Andre Oppermann 53369ac9bb Limiters and sanity checks for TCP MSS (maximum segement size) 
resource exhaustion attacks.

For network link optimization TCP can adjust its MSS and thus
packet size according to the observed path MTU.  This is done
dynamically based on feedback from the remote host and network
components along the packet path.  This information can be
abused to pretend an extremely low path MTU.

The resource exhaustion works in two ways:

 o during tcp connection setup the advertized local MSS is
   exchanged between the endpoints.  The remote endpoint can
   set this arbitrarily low (except for a minimum MTU of 64
   octets enforced in the BSD code).  When the local host is
   sending data it is forced to send many small IP packets
   instead of a large one.

   For example instead of the normal TCP payload size of 1448
   it forces TCP payload size of 12 (MTU 64) and thus we have
   a 120 times increase in workload and packets. On fast links
   this quickly saturates the local CPU and may also hit pps
   processing limites of network components along the path.

   This type of attack is particularly effective for servers
   where the attacker can download large files (WWW and FTP).

   We mitigate it by enforcing a minimum MTU settable by sysctl
   net.inet.tcp.minmss defaulting to 256 octets.

 o the local host is reveiving data on a TCP connection from
   the remote host.  The local host has no control over the
   packet size the remote host is sending.  The remote host
   may chose to do what is described in the first attack and
   send the data in packets with an TCP payload of at least
   one byte.  For each packet the tcp_input() function will
   be entered, the packet is processed and a sowakeup() is
   signalled to the connected process.

   For example an attack with 2 Mbit/s gives 4716 packets per
   second and the same amount of sowakeup()s to the process
   (and context switches).

   This type of attack is particularly effective for servers
   where the attacker can upload large amounts of data.
   Normally this is the case with WWW server where large POSTs
   can be made.

   We mitigate this by calculating the average MSS payload per
   second.  If it goes below 'net.inet.tcp.minmss' and the pps
   rate is above 'net.inet.tcp.minmssoverload' defaulting to
   1000 this particular TCP connection is resetted and dropped.

MITRE CVE:	CAN-2004-0002
Reviewed by:	sam (mentor)
MFC after:	1 day
2004-01-08 17:40:07 +00:00
..
alpha Comsetic tweaks: use PCPU_GET(cpumask) and CPU_ABSENT(). 2004-01-07 23:00:20 +00:00
amd64 Remove `static' prototype from header file. 2004-01-06 20:36:21 +00:00
arm Add sysentvec->sv_fixlimits() hook so that we can catch cases on 64 bit 2003-09-25 01:10:26 +00:00
boot Allow one to specify the com port settings for boot0sio. 2004-01-06 18:46:35 +00:00
cam Move the ciss quirk to the right section, also update the comment 2003-12-08 06:29:38 +00:00
coda - Implement selwakeuppri() which allows raising the priority of a 2003-11-09 09:17:26 +00:00
compat Correct the definition of the ndis_miniport_interrupt structure: 2004-01-08 10:44:37 +00:00
conf Add the NDISAPI option. 2004-01-08 17:13:10 +00:00
contrib This commit was generated by cvs2svn to compensate for changes in r124120, 2004-01-04 06:35:01 +00:00
crypto avoid module name conflict with opencrypto/rijndael.c. 2003-11-12 04:22:37 +00:00
ddb Reworked rev.1.14. Use the ELF symbol type again to summarily reject 2003-09-28 06:02:33 +00:00
dev Add the PCI ID for yet another bge chip: the Altima 1002. 2004-01-08 17:19:11 +00:00
fs Lock p->p_textvp before calling vn_fullpath() on it. Note the 2004-01-07 17:58:51 +00:00
geom Prevent withering of the provider we're orphaning from happening until 2003-12-23 11:37:05 +00:00
gnu Fixed a reference to a nonexistent variable in previous commit. Renaming 2003-11-05 11:56:58 +00:00
i4b Based on an excellent suggestion from tanimura@ define I4BPRI and use it 2003-11-10 14:20:34 +00:00
i386 Fix a long-standing bug that had been introduced in rev 1.24 with the 2004-01-07 10:12:59 +00:00
ia64 Make sigaltstack as per-threaded, because per-process sigaltstack state 2004-01-03 02:02:26 +00:00
isa Significantly reduce the "jitter" that is typical for PS/2 mice 2003-12-11 11:28:11 +00:00
isofs/cd9660 DuH! 2003-10-18 14:10:28 +00:00
kern Add pid to the info printed in lockmgr_printinfo. This makes VFS 2004-01-06 04:34:13 +00:00
libkern Make msdosfs long filenames matching case insensitive again. 2003-12-08 08:32:20 +00:00
modules Always clean all files, including ones under ACPI_DEBUG when doing a 2004-01-08 16:38:32 +00:00
net Remove extraneous unlock. This fixes a panic seen when manipulating static 2004-01-07 23:42:21 +00:00
net80211 Sync with netbsd: 2003-12-28 06:57:28 +00:00
netatalk Eliminate a duplicate free when deleting an interface address. This 2003-11-28 04:19:41 +00:00
netatm Introduce a MAC label reference in 'struct inpcb', which caches 2003-11-18 00:39:07 +00:00
netgraph o eliminate widespread on-stack mbuf use for bpf by introducing 2003-12-28 03:56:00 +00:00
netinet Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
netinet6 When calculating the sequence number to use in an ip6fw reset, remember to 2003-12-25 23:39:44 +00:00
netipsec Push m_apply() and m_getptr() up into the colleciton of standard mbuf 2003-12-15 21:49:41 +00:00
netipx Introduce a MAC label reference in 'struct inpcb', which caches 2003-11-18 00:39:07 +00:00
netkey don't touch after free. 2003-12-10 05:01:41 +00:00
netnatm Introduce a MAC label reference in 'struct inpcb', which caches 2003-11-18 00:39:07 +00:00
netncp The present defaults for the open and close for device drivers which 2003-09-27 12:01:01 +00:00
netsmb Add support for SMB request signing, which prevents "man in the middle" 2004-01-02 22:38:42 +00:00
nfs University of Michigan's Citi NFSv4 kernel client code. 2003-11-14 20:54:10 +00:00
nfs4client This patch fixes two little portability (to !GCC compilers) problems: 2003-12-11 11:30:26 +00:00
nfsclient Use function pointers to remove the depenancy cross dependancy on nfs4 2003-11-22 02:21:49 +00:00
nfsserver Fix some becuase -> because typos. 2003-12-17 16:12:01 +00:00
opencrypto style(9) pass and type fixups. 2003-12-16 14:13:47 +00:00
pc98 Remove the AUTO_EOI_2 option for PC-98 as it has never done anything anyway 2004-01-06 18:51:14 +00:00
pccard - Implement selwakeuppri() which allows raising the priority of a 2003-11-09 09:17:26 +00:00
pci The transmit frame status is stored in the last transmit descriptor for the 2004-01-08 06:22:15 +00:00
posix4
powerpc Make sigaltstack as per-threaded, because per-process sigaltstack state 2004-01-03 02:02:26 +00:00
rpc Change the definition of NULL on ia64 (for LP64 compilations) from 2003-12-07 21:10:06 +00:00
security Switch TCP over to using the inpcb label when responding in timed 2003-12-17 14:55:11 +00:00
sparc64 Make sigaltstack as per-threaded, because per-process sigaltstack state 2004-01-03 02:02:26 +00:00
sys Properly ifdef support for vfs locking assertions based on DEBUG_VFS_LOCKS. 2004-01-05 18:04:02 +00:00
tools Changes for new SMP-safe kobj method dispatch algorithm. 2003-10-16 13:29:26 +00:00
ufs Avoid calling vprint on a vnode while holding its interlock mutex. 2004-01-04 04:08:34 +00:00
vm Don't bother clearing PG_ZERO in contigmalloc1(), kmem_alloc(), or 2004-01-06 20:52:55 +00:00
Makefile