public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
From: Eric Dumazet <eric.dumazet@gmail.com>
To: paulmck@linux.vnet.ibm.com
Cc: Patrick McHardy <kaber@trash.net>,
	Changli Gao <xiaosuo@gmail.com>,
	hawk@comx.dk,
	Linux Kernel Network Hackers <netdev@vger.kernel.org>,
	netfilter-devel@vger.kernel.org
Subject: Re: DDoS attack causing bad effect on conntrack searches
Date: Thu, 22 Apr 2010 18:02:08 +0200	[thread overview]
Message-ID: <1271952128.7895.5851.camel@edumazet-laptop> (raw)
In-Reply-To: <20100422155123.GA2524@linux.vnet.ibm.com>

Le jeudi 22 avril 2010 à 08:51 -0700, Paul E. McKenney a écrit :
> On Thu, Apr 22, 2010 at 04:53:49PM +0200, Eric Dumazet wrote:
> > Le jeudi 22 avril 2010 à 16:36 +0200, Eric Dumazet a écrit :
> > 
> > > If one hash slot is under attack, then there is a bug somewhere.
> > > 
> > > If we cannot avoid this, we can fallback to a secure mode at the second
> > > retry, and take the spinlock.
> > > 
> > > Tis way, most of lookups stay lockless (one pass), and some might take
> > > the slot lock to avoid the possibility of a loop.
> > > 
> > > I suspect a bug elsewhere, quite frankly !
> > > 
> > > We have a chain that have an end pointer that doesnt match the expected
> > > one.
> > > 
> > 
> > On normal situation, we always finish the lookup :
> > 
> > 1) If we found the thing we were looking at.
> > 
> > 2) We get the list end (item not found), we then check if it is the
> > expected end.
> > 
> > It is _not_ the expected end only if some writer deleted/inserted an
> > element in _this_ chain during our lookup.
> 
> So this situation uses SLAB_DESTROY_BY_RCU to quickly recycle deleted
> elements?  (Not obvious from the code, but my ignorance of the networking
> code is such that many things in that part of the kernel are not obvious
> to me, I am afraid.)
> 

Yes, this uses SLAB_DESTROY_BY_RCU, like tcp/udp lookups.

> Otherwise, of course you would simply allow deleted elements to continue
> pointing where they did previously, so that concurrent readers would not
> miss anything.
> 




> Of course, the same potential might arise on insertion, but it is usually
> OK to miss an element that was inserted after you started searching.
> 
> > Because our lookup is lockless, we then have to redo it because we might
> > miss the object we are looking for.
> 
> Ah...  Is there also a resize operation?  Herbert did do a resizable
> hash table recently, but I was under the impression that (1) it was in
> some other part of the networking stack and (2) it avoided the need to
> restart readers.
> 
> > If we can do the 'retry' a 10 times, it means the attacker was really
> > clever enough to inject new packets (new conntracks) at the right
> > moment, in the right hash chain, and this sounds so higly incredible
> > that I cannot believe it at all :)
> 
> Or maybe the DoS attack is injecting so many new conntracks that a large
> fraction of the hash chains are being modified at any given time?
> 
> 							Thanx, Paul

maybe hash table has one slot :)


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  reply	other threads:[~2010-04-22 16:02 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-04-22 12:58 DDoS attack causing bad effect on conntrack searches Jesper Dangaard Brouer
2010-04-22 13:13 ` Changli Gao
2010-04-22 13:17   ` Patrick McHardy
2010-04-22 14:36     ` Eric Dumazet
2010-04-22 14:53       ` Eric Dumazet
2010-04-22 15:51         ` Paul E. McKenney
2010-04-22 16:02           ` Eric Dumazet [this message]
2010-04-22 16:34             ` Paul E. McKenney
2010-04-22 20:38             ` Jesper Dangaard Brouer
2010-04-22 21:03               ` Eric Dumazet
2010-04-22 21:14                 ` Eric Dumazet
2010-04-22 23:44                   ` David Miller
2010-04-23  5:44                     ` Eric Dumazet
2010-04-23  8:13                       ` David Miller
2010-04-23  8:18                         ` David Miller
2010-04-23  8:40                           ` Jesper Dangaard Brouer
2010-04-23 10:36                   ` Patrick McHardy
2010-04-23 11:06                     ` Eric Dumazet
2010-04-22 21:28                 ` Jesper Dangaard Brouer
2010-04-23  7:23                   ` Jan Engelhardt
2010-04-23  7:46                     ` Eric Dumazet
2010-04-23  7:55                       ` Jan Engelhardt
2010-04-23  9:23                         ` Eric Dumazet
2010-04-23 10:55                 ` Patrick McHardy
2010-04-23 11:05                   ` Eric Dumazet
2010-04-23 11:06                     ` Patrick McHardy
2010-04-23 20:57               ` Eric Dumazet
2010-04-24 11:11                 ` Jesper Dangaard Brouer
2010-04-24 20:11                   ` Eric Dumazet
2010-04-26 14:36                     ` Jesper Dangaard Brouer
2010-05-31 21:21                       ` Eric Dumazet
2010-06-01  0:28                         ` Changli Gao
2010-06-01  5:05                           ` Eric Dumazet
2010-06-01  5:48                             ` Changli Gao
2010-06-01 10:18                             ` Patrick McHardy
2010-06-01 10:31                               ` Eric Dumazet
2010-06-01 10:41                                 ` Patrick McHardy
2010-06-01 16:20                                   ` [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untracked Eric Dumazet
2010-06-04 11:40                                     ` Patrick McHardy
2010-06-04 12:10                                       ` Changli Gao
2010-06-04 12:29                                         ` Patrick McHardy
2010-06-04 12:36                                           ` Eric Dumazet
2010-06-04 16:25                                             ` [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit Eric Dumazet
2010-06-04 20:15                                               ` [PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking Eric Dumazet
2010-06-08 14:29                                                 ` Patrick McHardy
2010-06-08 14:52                                                   ` Eric Dumazet
2010-06-08 15:12                                                     ` Eric Dumazet
2010-06-09 12:45                                                       ` Patrick McHardy
2010-06-08 14:12                                               ` [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit Patrick McHardy
2010-04-23 10:56       ` DDoS attack causing bad effect on conntrack searches Patrick McHardy
2010-04-23 12:45         ` Jesper Dangaard Brouer
2010-04-23 13:57           ` Patrick McHardy
2010-04-22 13:31   ` Jesper Dangaard Brouer
2010-04-23 10:35     ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1271952128.7895.5851.camel@edumazet-laptop \
    --to=eric.dumazet@gmail.com \
    --cc=hawk@comx.dk \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=paulmck@linux.vnet.ibm.com \
    --cc=xiaosuo@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox