freebsd-nq/sys/netinet
Andre Oppermann 53369ac9bb Limiters and sanity checks for TCP MSS (maximum segement size)
resource exhaustion attacks.

For network link optimization TCP can adjust its MSS and thus
packet size according to the observed path MTU.  This is done
dynamically based on feedback from the remote host and network
components along the packet path.  This information can be
abused to pretend an extremely low path MTU.

The resource exhaustion works in two ways:

 o during tcp connection setup the advertized local MSS is
   exchanged between the endpoints.  The remote endpoint can
   set this arbitrarily low (except for a minimum MTU of 64
   octets enforced in the BSD code).  When the local host is
   sending data it is forced to send many small IP packets
   instead of a large one.

   For example instead of the normal TCP payload size of 1448
   it forces TCP payload size of 12 (MTU 64) and thus we have
   a 120 times increase in workload and packets. On fast links
   this quickly saturates the local CPU and may also hit pps
   processing limites of network components along the path.

   This type of attack is particularly effective for servers
   where the attacker can download large files (WWW and FTP).

   We mitigate it by enforcing a minimum MTU settable by sysctl
   net.inet.tcp.minmss defaulting to 256 octets.

 o the local host is reveiving data on a TCP connection from
   the remote host.  The local host has no control over the
   packet size the remote host is sending.  The remote host
   may chose to do what is described in the first attack and
   send the data in packets with an TCP payload of at least
   one byte.  For each packet the tcp_input() function will
   be entered, the packet is processed and a sowakeup() is
   signalled to the connected process.

   For example an attack with 2 Mbit/s gives 4716 packets per
   second and the same amount of sowakeup()s to the process
   (and context switches).

   This type of attack is particularly effective for servers
   where the attacker can upload large amounts of data.
   Normally this is the case with WWW server where large POSTs
   can be made.

   We mitigate this by calculating the average MSS payload per
   second.  If it goes below 'net.inet.tcp.minmss' and the pps
   rate is above 'net.inet.tcp.minmssoverload' defaulting to
   1000 this particular TCP connection is resetted and dropped.

MITRE CVE:	CAN-2004-0002
Reviewed by:	sam (mentor)
MFC after:	1 day
2004-01-08 17:40:07 +00:00
..
libalias Grrr...add the Skinny alias code forgotten in the last commit. 2003-09-23 07:42:33 +00:00
accf_data.c
accf_http.c
icmp6.h revert following unwanted changes: 2003-10-25 10:57:08 +00:00
icmp_var.h
if_atm.c replace explicit changes to rt_refcnt by RT_ADDREF and RT_REMREF 2003-11-08 23:36:32 +00:00
if_atm.h
if_ether.c I didn't notice it right away, but check the right length too. 2003-12-23 14:08:50 +00:00
if_ether.h Update netisr handling; Each SWI now registers its queue, and all queue 2003-03-04 23:19:55 +00:00
igmp_var.h
igmp.c Remove redundant initialization of rti; SLIST_FOREACH does that for 2003-08-28 22:15:05 +00:00
igmp.h
in_cksum.c
in_gif.c add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
in_gif.h - fix typo in comment. 2003-10-07 17:46:18 +00:00
in_pcb.c Make sure all uses of stack allocated struct route's are properly 2003-11-26 20:31:13 +00:00
in_pcb.h Split the "inp" mutex class into separate classes for each of divert, 2003-11-26 01:40:44 +00:00
in_proto.c divert socket fixups: 2003-11-08 23:09:42 +00:00
in_rmx.c Introduce tcp_hostcache and remove the tcp specific metrics from 2003-11-20 20:07:39 +00:00
in_systm.h
in_var.h Introduce ip_fastforward and remove ip_flow. 2003-11-14 21:02:22 +00:00
in.c Document the net.inet.ip.subnets_are_local sysctl. 2003-12-30 16:05:03 +00:00
in.h correct namespace pollution. 2003-10-25 09:37:10 +00:00
ip6.h revert following unwanted changes: 2003-10-25 10:57:08 +00:00
ip_divert.c Split the "inp" mutex class into separate classes for each of divert, 2003-11-26 01:40:44 +00:00
ip_dummynet.c o Fix a comment: softticks lives in sys/kern/kern_timeout.c. 2003-12-27 14:08:53 +00:00
ip_dummynet.h place some kernel-specific data structures under #ifdef _KERNEL 2003-10-03 20:58:56 +00:00
ip_ecn.c add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
ip_ecn.h add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
ip_encap.c Remove unused variables. 2003-06-01 09:20:38 +00:00
ip_encap.h
ip_fastfwd.c Catch a few places where NULL (pointer) was used where 0 (integer) was 2003-12-23 02:36:43 +00:00
ip_fw2.c NULL is not 0. 2003-12-24 18:22:04 +00:00
ip_fw.h Replace the if_name and if_unit members of struct ifnet with new members 2003-10-31 18:32:15 +00:00
ip_gre.c Sync with NetBSD: 2003-12-30 11:41:43 +00:00
ip_gre.h de-__P(). 2002-10-16 22:27:27 +00:00
ip_icmp.c Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
ip_icmp.h Add comments regarding the ICMP timestamp fields. 2003-03-21 15:28:10 +00:00
ip_id.c MFp4: reminder that random id code is not reentrant 2003-11-07 23:31:29 +00:00
ip_input.c Make sure all uses of stack allocated struct route's are properly 2003-11-26 20:31:13 +00:00
ip_mroute.c o move mutex init/destroy logic to the module load/unload hooks; 2003-12-20 18:32:48 +00:00
ip_mroute.h 1. Basic PIM kernel support 2003-08-07 18:16:59 +00:00
ip_output.c Do not set the ip_id to zero when DF is set on packet and 2004-01-08 11:13:40 +00:00
ip_var.h Make ipstealth global as we need it in ip_fastforward too. 2003-11-15 01:45:56 +00:00
ip.h add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
ipprotosw.h
pim_var.h New PIM header files. 2003-08-07 18:17:43 +00:00
pim.h New PIM header files. 2003-08-07 18:17:43 +00:00
raw_ip.c Split the "inp" mutex class into separate classes for each of divert, 2003-11-26 01:40:44 +00:00
tcp_debug.c It's now sufficient to rely on a nested include of _label.h to make sure 2002-08-15 14:34:45 +00:00
tcp_debug.h make the strings for tcptimers, tanames and prurequests const to silence 2002-08-16 09:07:59 +00:00
tcp_fsm.h
tcp_hostcache.c Swap destination and source arguments of two bcopy() calls. 2003-12-02 21:25:12 +00:00
tcp_input.c Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
tcp_output.c Introduce tcp_hostcache and remove the tcp specific metrics from 2003-11-20 20:07:39 +00:00
tcp_reass.c Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
tcp_seq.h Unify the "send high" and "recover" variables as specified in the 2003-07-15 21:49:53 +00:00
tcp_subr.c Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
tcp_syncache.c Introduce tcp_hostcache and remove the tcp specific metrics from 2003-11-20 20:07:39 +00:00
tcp_timer.c Introduce tcp_hostcache and remove the tcp specific metrics from 2003-11-20 20:07:39 +00:00
tcp_timer.h Remove a panic(); if the zone allocator can't provide more timewait 2003-03-08 22:06:20 +00:00
tcp_timewait.c Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
tcp_usrreq.c Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
tcp_var.h Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
tcp.h Limiters and sanity checks for TCP MSS (maximum segement size) 2004-01-08 17:40:07 +00:00
tcpip.h
udp_usrreq.c Split the "inp" mutex class into separate classes for each of divert, 2003-11-26 01:40:44 +00:00
udp_var.h
udp.h