On Fri, Sep 08, 2000 at 03:01:08AM +0300, George Athanassopoulos wrote:
> On Fri, 8 Sep 2000, Andi Kleen wrote:
>
> :If Linux stopped sending ACKs for out of order packets your machine would
> :be pretty much unusable over lossy links (because fast retransmit would
> :not work properly anymore) But that of course can be used
> :to cause your machine to send at least an outgoing packet for each incoming
> :packet.
>
> Sending one outgoing packet for every incoming trash packet to an
> unused (non-listening) port with a non-lossy fast link, is bad.
The only way to fix that with TCP is to pull the plug. You probably didn't
understand it, but the RST is only *one* way where TCP replies, but there
are lots of other ways too (like ACKs)
> :You don't need the patch as I pointed out, it can be all done from user space
> :using tc
> :But it'll only stop a single attack, but there are lots of other attacks
> :possible.
>
> Userspace handling is good but not best for such (I repeat) "weakness".
If you think you don't want such "weakness"es you should probably look
for a different protocol than TCP. I don't know any that would fix it.
The funny thing is that IPSec et.all. don't help here at all.
>
> :
> :It would probably be more useful to find out why an attack kills other
> :systems on your net. I guess you have a fast internet connection (near
> :your ethernet speed) and you're probably using half duplex ethernet,
> :correct?
> :
> :-Andi
> :
>
> I have an 100Mbps full duplex switched LAN connected on a 12mbps ->
> on a 33Mbps -> Ten-155. When incoming flood from hundreds ip addresses
> occurs (some of them spoofed while 95% of them not spoofed) hitting
> unused TCP ports, my machine starts replying RSTs for every incoming
> packet so fast that almost all the way to ten-155 is flooded badly.
> Of course I can still communicate with machines on the same LAN, I
> can still communicate (with big lag) with neibhouring LANs but that's
> it, no further.
This implies that the incoming flood is at least as fast as your outgoing
connection (TCP will never send more than a single packet in response
to an input packet, so the attacker can never eat more outgoing bandwidth
than incoming)
One simple workaround (it is not a real fix, because a real fix is not
possible) would be to limit the total bandwidth the irc servers can
send/receive upstream to a fraction of your full line.
> With my quick-n-dirty "dynamic firewalling" (if I could call it that way)
> I put a blocking rule with ipfw for every incoming packet for some time
> (about 15 minutes) and I remove it after. That seems to work but does
> not seem optimal as it would be , let's say, iptables' RST handling but
> with option to check if the target port is already "used". Which it would
> be much faster.
Just don't let the attackers know, it is a wonderfull DoS against anybody
-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Sep 15 2000 - 21:00:10 EST