Remove tcp_minmssoverload DoS detection logic. The problem it tried to
protect us from wasn't really there and it only bloats the code. Should the problem surface in the future we can simply resurrect it from cvs history.
This commit is contained in:
parent
9ac793831b
commit
e406f5a1c9
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=167772
@ -124,14 +124,6 @@ struct tcphdr {
|
||||
* Setting this to "0" disables the minmss check.
|
||||
*/
|
||||
#define TCP_MINMSS 216
|
||||
/*
|
||||
* TCP_MINMSSOVERLOAD is defined to be 1000 which should cover any type
|
||||
* of interactive TCP session.
|
||||
* See tcp_subr.c tcp_minmssoverload SYSCTL declaration and tcp_input.c
|
||||
* for more comments.
|
||||
* Setting this to "0" disables the minmssoverload check.
|
||||
*/
|
||||
#define TCP_MINMSSOVERLOAD 0 /* XXX: Disabled until refined */
|
||||
|
||||
/*
|
||||
* Default maximum segment size for TCP6.
|
||||
|
@ -1047,65 +1047,6 @@ tcp_input(m, off0)
|
||||
/* Syncache takes care of sockets in the listen state. */
|
||||
KASSERT(tp->t_state != TCPS_LISTEN, ("tcp_input: TCPS_LISTEN"));
|
||||
|
||||
/*
|
||||
* This is the second part of the MSS DoS prevention code (after
|
||||
* minmss on the sending side) and it deals with too many too small
|
||||
* tcp packets in a too short timeframe (1 second).
|
||||
*
|
||||
* For every full second we count the number of received packets
|
||||
* and bytes. If we get a lot of packets per second for this connection
|
||||
* (tcp_minmssoverload) we take a closer look at it and compute the
|
||||
* average packet size for the past second. If that is less than
|
||||
* tcp_minmss we get too many packets with very small payload which
|
||||
* is not good and burdens our system (and every packet generates
|
||||
* a wakeup to the process connected to our socket). We can reasonable
|
||||
* expect this to be small packet DoS attack to exhaust our CPU
|
||||
* cycles.
|
||||
*
|
||||
* Care has to be taken for the minimum packet overload value. This
|
||||
* value defines the minimum number of packets per second before we
|
||||
* start to worry. This must not be too low to avoid killing for
|
||||
* example interactive connections with many small packets like
|
||||
* telnet or SSH.
|
||||
*
|
||||
* Setting either tcp_minmssoverload or tcp_minmss to "0" disables
|
||||
* this check.
|
||||
*
|
||||
* Account for packet if payload packet, skip over ACK, etc.
|
||||
*/
|
||||
if (tcp_minmss && tcp_minmssoverload &&
|
||||
tp->t_state == TCPS_ESTABLISHED && tlen > 0) {
|
||||
if ((unsigned int)(tp->rcv_second - ticks) < hz) {
|
||||
tp->rcv_pps++;
|
||||
tp->rcv_byps += tlen + off;
|
||||
if (tp->rcv_pps > tcp_minmssoverload) {
|
||||
if ((tp->rcv_byps / tp->rcv_pps) < tcp_minmss) {
|
||||
printf("too many small tcp packets from "
|
||||
"%s:%u, av. %lubyte/packet, "
|
||||
"dropping connection\n",
|
||||
#ifdef INET6
|
||||
isipv6 ?
|
||||
ip6_sprintf(ip6buf,
|
||||
&inp->inp_inc.inc6_faddr) :
|
||||
#endif
|
||||
inet_ntoa(inp->inp_inc.inc_faddr),
|
||||
inp->inp_inc.inc_fport,
|
||||
tp->rcv_byps / tp->rcv_pps);
|
||||
KASSERT(headlocked, ("tcp_input: "
|
||||
"after_listen: tcp_drop: head "
|
||||
"not locked"));
|
||||
tp = tcp_drop(tp, ECONNRESET);
|
||||
tcpstat.tcps_minmssdrops++;
|
||||
goto drop;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
tp->rcv_second = ticks + hz;
|
||||
tp->rcv_pps = 1;
|
||||
tp->rcv_byps = tlen + off;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Segment received on connection.
|
||||
* Reset idle time and keep-alive timer.
|
||||
|
@ -1047,65 +1047,6 @@ tcp_input(m, off0)
|
||||
/* Syncache takes care of sockets in the listen state. */
|
||||
KASSERT(tp->t_state != TCPS_LISTEN, ("tcp_input: TCPS_LISTEN"));
|
||||
|
||||
/*
|
||||
* This is the second part of the MSS DoS prevention code (after
|
||||
* minmss on the sending side) and it deals with too many too small
|
||||
* tcp packets in a too short timeframe (1 second).
|
||||
*
|
||||
* For every full second we count the number of received packets
|
||||
* and bytes. If we get a lot of packets per second for this connection
|
||||
* (tcp_minmssoverload) we take a closer look at it and compute the
|
||||
* average packet size for the past second. If that is less than
|
||||
* tcp_minmss we get too many packets with very small payload which
|
||||
* is not good and burdens our system (and every packet generates
|
||||
* a wakeup to the process connected to our socket). We can reasonable
|
||||
* expect this to be small packet DoS attack to exhaust our CPU
|
||||
* cycles.
|
||||
*
|
||||
* Care has to be taken for the minimum packet overload value. This
|
||||
* value defines the minimum number of packets per second before we
|
||||
* start to worry. This must not be too low to avoid killing for
|
||||
* example interactive connections with many small packets like
|
||||
* telnet or SSH.
|
||||
*
|
||||
* Setting either tcp_minmssoverload or tcp_minmss to "0" disables
|
||||
* this check.
|
||||
*
|
||||
* Account for packet if payload packet, skip over ACK, etc.
|
||||
*/
|
||||
if (tcp_minmss && tcp_minmssoverload &&
|
||||
tp->t_state == TCPS_ESTABLISHED && tlen > 0) {
|
||||
if ((unsigned int)(tp->rcv_second - ticks) < hz) {
|
||||
tp->rcv_pps++;
|
||||
tp->rcv_byps += tlen + off;
|
||||
if (tp->rcv_pps > tcp_minmssoverload) {
|
||||
if ((tp->rcv_byps / tp->rcv_pps) < tcp_minmss) {
|
||||
printf("too many small tcp packets from "
|
||||
"%s:%u, av. %lubyte/packet, "
|
||||
"dropping connection\n",
|
||||
#ifdef INET6
|
||||
isipv6 ?
|
||||
ip6_sprintf(ip6buf,
|
||||
&inp->inp_inc.inc6_faddr) :
|
||||
#endif
|
||||
inet_ntoa(inp->inp_inc.inc_faddr),
|
||||
inp->inp_inc.inc_fport,
|
||||
tp->rcv_byps / tp->rcv_pps);
|
||||
KASSERT(headlocked, ("tcp_input: "
|
||||
"after_listen: tcp_drop: head "
|
||||
"not locked"));
|
||||
tp = tcp_drop(tp, ECONNRESET);
|
||||
tcpstat.tcps_minmssdrops++;
|
||||
goto drop;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
tp->rcv_second = ticks + hz;
|
||||
tp->rcv_pps = 1;
|
||||
tp->rcv_byps = tlen + off;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Segment received on connection.
|
||||
* Reset idle time and keep-alive timer.
|
||||
|
@ -137,18 +137,6 @@ SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt,
|
||||
int tcp_minmss = TCP_MINMSS;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW,
|
||||
&tcp_minmss , 0, "Minmum TCP Maximum Segment Size");
|
||||
/*
|
||||
* Number of TCP segments per second we accept from remote host
|
||||
* before we start to calculate average segment size. If average
|
||||
* segment size drops below the minimum TCP MSS we assume a DoS
|
||||
* attack and reset+drop the connection. Care has to be taken not to
|
||||
* set this value too small to not kill interactive type connections
|
||||
* (telnet, SSH) which send many small packets.
|
||||
*/
|
||||
int tcp_minmssoverload = TCP_MINMSSOVERLOAD;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmssoverload, CTLFLAG_RW,
|
||||
&tcp_minmssoverload , 0,
|
||||
"Number of TCP Segments per Second allowed to be under the MINMSS Size");
|
||||
|
||||
int tcp_do_rfc1323 = 1;
|
||||
SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW,
|
||||
|
@ -137,18 +137,6 @@ SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt,
|
||||
int tcp_minmss = TCP_MINMSS;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW,
|
||||
&tcp_minmss , 0, "Minmum TCP Maximum Segment Size");
|
||||
/*
|
||||
* Number of TCP segments per second we accept from remote host
|
||||
* before we start to calculate average segment size. If average
|
||||
* segment size drops below the minimum TCP MSS we assume a DoS
|
||||
* attack and reset+drop the connection. Care has to be taken not to
|
||||
* set this value too small to not kill interactive type connections
|
||||
* (telnet, SSH) which send many small packets.
|
||||
*/
|
||||
int tcp_minmssoverload = TCP_MINMSSOVERLOAD;
|
||||
SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmssoverload, CTLFLAG_RW,
|
||||
&tcp_minmssoverload , 0,
|
||||
"Number of TCP Segments per Second allowed to be under the MINMSS Size");
|
||||
|
||||
int tcp_do_rfc1323 = 1;
|
||||
SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW,
|
||||
|
@ -1873,11 +1873,6 @@ db_print_tcpcb(struct tcpcb *tp, const char *name, int indent)
|
||||
"t_badrxtwin: %lu\n", tp->snd_ssthresh_prev,
|
||||
tp->snd_recover_prev, tp->t_badrxtwin);
|
||||
|
||||
db_print_indent(indent);
|
||||
db_printf("snd_limited: %u rcv_second: %lu rcv_pps: %lu "
|
||||
"tcv_byps: %lu\n", tp->snd_limited, tp->rcv_second, tp->rcv_pps,
|
||||
tp->rcv_byps);
|
||||
|
||||
db_print_indent(indent);
|
||||
db_printf("sack_enable: %d snd_numholes: %d snd_holes first: %p\n",
|
||||
tp->sack_enable, tp->snd_numholes, TAILQ_FIRST(&tp->snd_holes));
|
||||
|
@ -186,10 +186,6 @@ struct tcpcb {
|
||||
tcp_seq snd_recover_prev; /* snd_recover prior to retransmit */
|
||||
u_long t_badrxtwin; /* window for retransmit recovery */
|
||||
u_char snd_limited; /* segments limited transmitted */
|
||||
/* anti DoS counters */
|
||||
u_long rcv_second; /* start of interval second */
|
||||
u_long rcv_pps; /* received packets per second */
|
||||
u_long rcv_byps; /* received bytes per second */
|
||||
/* SACK related state */
|
||||
int sack_enable; /* enable SACK for this connection */
|
||||
int snd_numholes; /* number of holes seen by sender */
|
||||
@ -493,7 +489,6 @@ extern struct inpcbinfo tcbinfo;
|
||||
extern struct tcpstat tcpstat; /* tcp statistics */
|
||||
extern int tcp_mssdflt; /* XXX */
|
||||
extern int tcp_minmss;
|
||||
extern int tcp_minmssoverload;
|
||||
extern int tcp_delack_enabled;
|
||||
extern int tcp_do_newreno;
|
||||
extern int path_mtu_discovery;
|
||||
|
Loading…
Reference in New Issue
Block a user