IPv4 route cache DOS attack

IPv4 route cache DOS attack

[叶雨飞]

Hi,

I have a linux router running kernel 3.2  that receive public ingress
packets and route them through an GRE tunnel, return packets don't go
through it

I've recently faced a serious issue with the route cache,  when the
router received spoofed source , the route cache will quickly get
exhausted (depending on the size of it) and soon the ip dst cache
overflow will be printed and network subsystem will hang until
restarted.

So, my question is, how can I turn off the route cache without
recompile the kernel or adding the  patch for removal  in 3.7?  I
tried to set

echo 0 > /proc/sys/net/ipv4/route/max_size but that has no effect at all.

And if some one can share some insight on why when dst cache
overflows, the network subsystem hangs, it would be great.

Thanks.

Re: IPv4 route cache DOS attack

[Eric Dumazet]

On Tue, 2012-11-27 at 15:15 -0800, 叶雨飞 wrote:
> Hi,
> 
> I have a linux router running kernel 3.2  that receive public ingress
> packets and route them through an GRE tunnel, return packets don't go
> through it
> 
> I've recently faced a serious issue with the route cache,  when the
> router received spoofed source , the route cache will quickly get
> exhausted (depending on the size of it) and soon the ip dst cache
> overflow will be printed and network subsystem will hang until
> restarted.
> 
> So, my question is, how can I turn off the route cache without
> recompile the kernel or adding the  patch for removal  in 3.7?  I
> tried to set
> 
> echo 0 > /proc/sys/net/ipv4/route/max_size but that has no effect at all.
> 
> And if some one can share some insight on why when dst cache
> overflows, the network subsystem hangs, it would be great.

echo -1 >/proc/sys/net/ipv4/rt_cache_rebuild_count

Re: IPv4 route cache DOS attack

[叶雨飞]

Thanks!!! it works, after flushing cache it stays 0.

On Tue, Nov 27, 2012 at 5:01 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Tue, 2012-11-27 at 15:15 -0800, 叶雨飞 wrote:
>> Hi,
>>
>> I have a linux router running kernel 3.2  that receive public ingress
>> packets and route them through an GRE tunnel, return packets don't go
>> through it
>>
>> I've recently faced a serious issue with the route cache,  when the
>> router received spoofed source , the route cache will quickly get
>> exhausted (depending on the size of it) and soon the ip dst cache
>> overflow will be printed and network subsystem will hang until
>> restarted.
>>
>> So, my question is, how can I turn off the route cache without
>> recompile the kernel or adding the  patch for removal  in 3.7?  I
>> tried to set
>>
>> echo 0 > /proc/sys/net/ipv4/route/max_size but that has no effect at all.
>>
>> And if some one can share some insight on why when dst cache
>> overflows, the network subsystem hangs, it would be great.
>
> echo -1 >/proc/sys/net/ipv4/rt_cache_rebuild_count
>
>
>

Re: IPv4 route cache DOS attack

[David Miller]

We saw your email the other day, do not resend the same exact
question over and over again.

If nobody has time, or wants, to answer you, then you have to simply
accept that.  Repeating your posting only will make things worse
for you, trust me.

Thank you.

Re: IPv4 route cache DOS attack

[叶雨飞]

my first email is to lartc@ and this one is to netdev@ .

On Tue, Nov 27, 2012 at 6:14 PM, David Miller <davem@davemloft.net> wrote:
>
> We saw your email the other day, do not resend the same exact
> question over and over again.
>
> If nobody has time, or wants, to answer you, then you have to simply
> accept that.  Repeating your posting only will make things worse
> for you, trust me.
>
> Thank you.