Re: the TCP MSS resource exhaustion commit

From: Robert Watson <rwatson_at_freebsd.org>
Date: Fri, 9 Jan 2004 11:39:03 -0500 (EST)
On Fri, 9 Jan 2004, Dan Nelson wrote:

> In the last episode (Jan 09), Andre Oppermann said:
> > Bernd Walter wrote:
> > > On Fri, Jan 09, 2004 at 03:23:53PM +0100, Andre Oppermann wrote:
> > > > Thorsten Greiner wrote:
> > > > > While I have read your commit message thoroughly I am not sure
> > > > > I have understood the consequences of the new mechanism. Will
> > > > > the exchange of many small packets trigger a connection drop?
> > > >
> > > > Yes.  Once you receive more than 1,000 tcp packets per second
> > > > whose average size is below the net.inet.tcp.minmss value, then
> > > > it will assume a malicious DoS attack.  It appears that the
> > > > default value of 1,000 is too low.
> > 
> > The detection logic only applies to TCP packets containing payload,
> > not to ACKs or anything else.
> 
> The Oracle case was probably triggered by the ping-ponging effect that
> running many small queries causes.  People running MySQL as a backend
> for webservers will probably trigger the same thing. 
> 
> You should probably also ignore any connections originating from local
> networks, ignore any connections where TCP_NODELAY is set (which will
> cover the ssh case), and ignore packets where the reply has data in it
> (which will cover Oracle, MySQL, xmlrpc, NFS, NIS, and any other
> request-reply protocol with small packets). 

I guess my basic worry in this conversation is that fundamentally, the
rate detection and "stop" approach is based on a common case heuristic:
"Most well behaved applications don't...".  Unfortunately, I have the
feeling we're going to run into a lot of exceptions, and while we can
improve the heuristic, I can't help but wonder if we shouldn't disable the
heuristic by default, and provide better reporting so that sites can tell
if the heuristic *would* enable protection, and then they can optionally
turn it on at their choice...  I.e., a console message or sysctl that can
be monitored.  It's not hard for me to imagine a lot of RPC content being
sent over TCP connections with small packet sizes: multiplexing is a
commonly used approach, especially now that every protocol runs over HTTP
:-). 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert_at_fledge.watson.org      Senior Research Scientist, McAfee Research
Received on Fri Jan 09 2004 - 07:40:42 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:37 UTC