From: Eric Dumazet <eric.dumazet@gmail.com>
To: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
netdev@vger.kernel.org
Subject: Re: [net-next PATCH 1/4] Revert "inet: limit length of fragment queue hash table bucket lists"
Date: Wed, 24 Apr 2013 17:00:30 -0700 [thread overview]
Message-ID: <1366848030.8964.98.camel@edumazet-glaptop> (raw)
In-Reply-To: <20130424154800.16883.4797.stgit@dragon>
On Wed, 2013-04-24 at 17:48 +0200, Jesper Dangaard Brouer wrote:
> This reverts commit 5a3da1fe9561828d0ca7eca664b16ec2b9bf0055.
>
> The problem with commit 5a3da1fe (inet: limit length of fragment queue
> hash table bucket lists) is that, once we hit the hash depth limit (of
> 128), the we *keep* the existing frag queues, not allowing new frag
> queues to be created. Thus, an attacker can effectivly block handling
> of fragments for 30 sec (as each frag queue have a timeout of 30 sec)
>
I do not think its good to revert this patch. It was a step in right
direction.
Limiting chain length to 128 is good.
An attacker can attack a defrag unit, no matter strategy you use, thats
why fragments are doomed.
The only way to resist to an attack is to have enough memory in defrag
unit to accumulate 30 seconds worth of traffic.
Thats 30GB of memory if you receive 1GB per second, bit counting the
overhead.
If the attacker knows the IP address of the user of your defrag unit,
you are doomed because IP id are 16bits.
next prev parent reply other threads:[~2013-04-25 0:00 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-24 15:47 [net-next PATCH 0/4] net: frag patchset for fixing LRU scalability issue Jesper Dangaard Brouer
2013-04-24 15:48 ` [net-next PATCH 1/4] Revert "inet: limit length of fragment queue hash table bucket lists" Jesper Dangaard Brouer
2013-04-25 0:00 ` Eric Dumazet [this message]
2013-04-25 13:10 ` Jesper Dangaard Brouer
2013-04-25 13:58 ` David Laight
2013-05-02 7:59 ` Jesper Dangaard Brouer
2013-05-02 15:16 ` Eric Dumazet
2013-05-03 9:15 ` Jesper Dangaard Brouer
2013-04-24 15:48 ` [net-next PATCH 2/4] net: increase frag hash size Jesper Dangaard Brouer
2013-04-24 22:09 ` Sergei Shtylyov
2013-04-25 10:13 ` Jesper Dangaard Brouer
2013-04-25 12:13 ` Sergei Shtylyov
2013-04-25 19:11 ` David Miller
2013-04-24 23:48 ` Eric Dumazet
2013-04-25 3:26 ` Hannes Frederic Sowa
2013-04-25 19:52 ` [net-next PATCH V2] " Jesper Dangaard Brouer
2013-04-29 17:44 ` David Miller
2013-04-24 15:48 ` [net-next PATCH 3/4] net: avoid false perf interpretations in frag code Jesper Dangaard Brouer
2013-04-24 23:48 ` Eric Dumazet
2013-04-24 23:54 ` David Miller
2013-04-25 10:57 ` Jesper Dangaard Brouer
2013-04-25 19:13 ` David Miller
2013-04-24 15:48 ` [net-next PATCH 4/4] net: frag LRU list per CPU Jesper Dangaard Brouer
2013-04-25 0:25 ` Eric Dumazet
2013-04-25 2:05 ` Eric Dumazet
2013-04-25 14:06 ` Jesper Dangaard Brouer
2013-04-25 14:37 ` Eric Dumazet
2013-04-25 13:59 ` Jesper Dangaard Brouer
2013-04-25 14:10 ` Eric Dumazet
2013-04-25 14:18 ` Eric Dumazet
2013-04-25 19:15 ` Jesper Dangaard Brouer
2013-04-25 19:22 ` Eric Dumazet
2013-04-24 16:21 ` [net-next PATCH 0/4] net: frag patchset for fixing LRU scalabilityissue David Laight
2013-04-25 11:39 ` Jesper Dangaard Brouer
2013-04-25 12:57 ` David Laight
2013-04-24 17:27 ` [net-next PATCH 0/4] net: frag patchset for fixing LRU scalability issue Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1366848030.8964.98.camel@edumazet-glaptop \
--to=eric.dumazet@gmail.com \
--cc=brouer@redhat.com \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox