From: Eric Dumazet <eric.dumazet@gmail.com>
To: Denys Fedoryshchenko <denys@visp.net.lb>,
David Miller <davem@davemloft.net>
Cc: Michael Tokarev <mjt@tls.msk.ru>, netdev@vger.kernel.org
Subject: Re: SYN attack, with FIN flag set
Date: Sat, 03 Dec 2011 10:41:42 +0100 [thread overview]
Message-ID: <1322905302.2762.106.camel@edumazet-laptop> (raw)
In-Reply-To: <73da1a18b48dc3097acd6728be208c66@visp.net.lb>
Le samedi 03 décembre 2011 à 11:07 +0200, Denys Fedoryshchenko a écrit :
> No,no, as i understand it is just threating SYN+FIN as plain SYN.
> I think if it incurr additional expenses (verification), no need maybe
> to fix it, it is job of iptables.
> But is FIN to listening socket - legitimate? Shouldn't it be dropped?
>
Host network stack is optimized for the fast path (legitimate traffic)
Firewalls are optimized to the opposite, to let protected machines doing
their jobs without slow checks.
If we add all possible counter measures in tcp stack, it would be maybe
2 times slower than it is...
Remember than SYN|FIN messages are maybe 0.000001% of total Internet
trafic, since they are not legitimate.
In the case of SYN packet, flow is :
1) IP stack : ip_rcv(), ip_route_input_noref(), ip_rcv_finish()
2) TCP stack :
tcp_v4_rcv(),
__inet_lookup_skb() [ find the listener socket ]
bh_lock_sock_nested(sk) [ lock the socket ]
tcp_v4_do_rcv()
tcp_v4_hnd_req()
inet_csk_search_req() [ try to find a previous SYN_RECV sock]
tcp_rcv_state_process()
tcp_v4_conn_request(sk, skb)
So it appears we go too far, we should drop FIN messages at this point.
What about following patch then ?
The added test is hit only for SYN messages, this seems not a very
expensive test.
[PATCH] tcp: drop SYN+FIN messages
Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his
linux machines to their limits.
Dont call conn_request() if the TCP flags includes SYN flag
Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
net/ipv4/tcp_input.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 52b5c2d..d54c942 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5809,6 +5809,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
goto discard;
if (th->syn) {
+ if (th->fin)
+ goto discard;
if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
return 1;
next prev parent reply other threads:[~2011-12-03 9:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-02 22:29 SYN attack, with FIN flag set Denys Fedoryshchenko
2011-12-03 7:27 ` Eric Dumazet
2011-12-03 7:55 ` Eric Dumazet
2011-12-03 8:18 ` Denys Fedoryshchenko
2011-12-03 8:53 ` Eric Dumazet
2011-12-03 9:03 ` Michael Tokarev
2011-12-03 9:07 ` Denys Fedoryshchenko
2011-12-03 9:41 ` Eric Dumazet [this message]
2011-12-03 10:02 ` Eric Dumazet
2011-12-03 18:40 ` Denys Fedoryshchenko
2011-12-04 6:26 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1322905302.2762.106.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=denys@visp.net.lb \
--cc=mjt@tls.msk.ru \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox