ICMP attacks against TCP and PMTUD
Nikolay Denev
ndenev at gmail.com
Thu Jan 12 17:55:52 UTC 2012
Hello,
A web server that I administer running Nginx and FreeBSD-7.3-STABLE was recently
under a ICMP attack that generated a large amount of outgoing TCP traffic.
With some tcpdump and netflow analysis it was evident that the attachers are using
ICMP host-unreach need-frag messages to make the web server
retransmit multiple times, giving a amplification factor of about 1.6.
Then I noticed RFC5927 ( http://www.faqs.org/rfcs/rfc5927.html ) and specifically section 7.2
which discusses countermeasures against such attacks. The text reads :
This section describes a modification to the PMTUD mechanism
specified in [RFC1191] and [RFC1981] that has been incorporated in
OpenBSD and NetBSD (since 2005) to improve TCP's resistance to the
blind performance-degrading attack described in Section 7.1. The
described counter-measure basically disregards ICMP messages when a
connection makes progress, without violating any of the requirements
stated in [RFC1191] and [RFC1981].
The RFC is recent (dated from July 2010), and it mentions several times Linux, Free,Open and NetBSD,
but exactly in this paragraph it is mentioning only Net and OpenBSD's, thus I'm asking if
anyone has idea if these modifications were being put into FreeBSD?
I quickly glanced upon the source, but the TCP code is a bit too much for me :)
Also if anybody has observed similar attack, how are you protecting yourself from it?
Simply blocking host-unreach need-frag would break PMTUD.
P.S.: I know 7.3 is pretty old, and I've planned upgrade to 8.2. I'm also curious if 8.2 will behave differently.
Regards,
Nikolay
More information about the freebsd-net
mailing list