Modifying the exponential backoff on new connection SYN packets

Modifying the exponential backoff on new connection SYN packets

[Ed W]

Hi, I have an unusual situation in that I would like to cap the 
retransmit frequency on the initial SYN packets at some fairly short 
time interval, eg a max of 2-4 seconds, rather than the usual 
exponentially increasing interval.  I could use some help figuring out 
the exact point in the kernel to make such a change please?

The situation is that I am building a firewall which will be used with 
expensive satellite links (think $10-100/MB range). Some of the links 
are dialup links which take 20-40 seconds to bring up, and then we have 
PPP drop the link after 10 seconds of inactivity. However, with the 
default exponential backoff on new connections we are generally 
retransmitting with a 16sec or 32 sec interval by the time the dialup 
link is connected, the timout for inactivity kicks in and drops the link 
before the retransmit...

I believe the exponential backoff is intended to prevent amplification 
attacks? In this particular case we are accounting for traffic per user 
and the internet costs are extremely substantial, so I think it's not a 
problem

Could someone please help figure out the appropriate place to tweak the 
exponential backoff? Note this is not retransmit of in flight data, just 
the backoff for the initial syn (which doesn't seem to be configurable 
in user space?)

Note, we have an application proxy here, but I can't see a sensible way 
to fake it in user space without a lot of extra coding - any suggestions?

Thanks

Ed W

Re: Modifying the exponential backoff on new connection SYN packets

[Eric Dumazet]

On Tue, 2013-04-09 at 10:06 +0100, Ed W wrote:
> Hi, I have an unusual situation in that I would like to cap the 
> retransmit frequency on the initial SYN packets at some fairly short 
> time interval, eg a max of 2-4 seconds, rather than the usual 
> exponentially increasing interval.  I could use some help figuring out 
> the exact point in the kernel to make such a change please?
> 
> The situation is that I am building a firewall which will be used with 
> expensive satellite links (think $10-100/MB range). Some of the links 
> are dialup links which take 20-40 seconds to bring up, and then we have 
> PPP drop the link after 10 seconds of inactivity. However, with the 
> default exponential backoff on new connections we are generally 
> retransmitting with a 16sec or 32 sec interval by the time the dialup 
> link is connected, the timout for inactivity kicks in and drops the link 
> before the retransmit...
> 
> I believe the exponential backoff is intended to prevent amplification 
> attacks? In this particular case we are accounting for traffic per user 
> and the internet costs are extremely substantial, so I think it's not a 
> problem
> 
> Could someone please help figure out the appropriate place to tweak the 
> exponential backoff? Note this is not retransmit of in flight data, just 
> the backoff for the initial syn (which doesn't seem to be configurable 
> in user space?)
> 
> Note, we have an application proxy here, but I can't see a sensible way 
> to fake it in user space without a lot of extra coding - any suggestions?

You'll have to change inet_csk_reqsk_queue_prune() in
net/ipv4/inet_connection_sock.c

timeo = min(timeout << req->num_timeout, max_rto);
req->expires = now + timeo; 

Good luck !

Re: Modifying the exponential backoff on new connection SYN packets

[Eric Dumazet]

On Tue, 2013-04-09 at 06:48 -0700, Eric Dumazet wrote:

> You'll have to change inet_csk_reqsk_queue_prune() in
> net/ipv4/inet_connection_sock.c
> 
> timeo = min(timeout << req->num_timeout, max_rto);
> req->expires = now + timeo; 
> 
> Good luck !

Oh well, this code is for SYNACK retransmits...

For other retransmits, you'll have to take a look in
net/ipv4/tcp_timer.c, around lines 475

icsk->icsk_rto = min(icsk->icsk_rto << 1, TCP_RTO_MAX);

Re: Modifying the exponential backoff on new connection SYN packets

[Ed W]

On 09/04/2013 16:12, Eric Dumazet wrote:
> On Tue, 2013-04-09 at 06:48 -0700, Eric Dumazet wrote:
>
>> You'll have to change inet_csk_reqsk_queue_prune() in
>> net/ipv4/inet_connection_sock.c
>>
>> timeo = min(timeout << req->num_timeout, max_rto);
>> req->expires = now + timeo;
>>
>> Good luck !
> Oh well, this code is for SYNACK retransmits...
>
> For other retransmits, you'll have to take a look in
> net/ipv4/tcp_timer.c, around lines 475
>
> icsk->icsk_rto = min(icsk->icsk_rto << 1, TCP_RTO_MAX);
>
>

Hmm, I don't necessarily want to change the normal data timeouts, just 
the initial SYN timeouts. How might I make detect that I'm in SYN state 
and cap the timer appropriately? Apologies for beginner questions...

Thanks

Ed W

Re: Modifying the exponential backoff on new connection SYN packets

[Eric Dumazet]

On Tue, 2013-04-09 at 16:52 +0100, Ed W wrote:
> On 09/04/2013 16:12, Eric Dumazet wrote:
> > On Tue, 2013-04-09 at 06:48 -0700, Eric Dumazet wrote:
> >
> >> You'll have to change inet_csk_reqsk_queue_prune() in
> >> net/ipv4/inet_connection_sock.c
> >>
> >> timeo = min(timeout << req->num_timeout, max_rto);
> >> req->expires = now + timeo;
> >>
> >> Good luck !
> > Oh well, this code is for SYNACK retransmits...
> >
> > For other retransmits, you'll have to take a look in
> > net/ipv4/tcp_timer.c, around lines 475
> >
> > icsk->icsk_rto = min(icsk->icsk_rto << 1, TCP_RTO_MAX);
> >
> >
> 
> Hmm, I don't necessarily want to change the normal data timeouts, just 
> the initial SYN timeouts. How might I make detect that I'm in SYN state 
> and cap the timer appropriately? Apologies for beginner questions...

You'll have to add a test on :

if (sk->sk_state == TCP_SYN_SENT)

should be pretty easy.