Commit c074da28 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

ipv4: tcp: dont cache unconfirmed intput dst 



DDOS synflood attacks hit badly IP route cache.

On typical machines, this cache is allowed to hold up to 8 Millions dst
entries, 256 bytes for each, for a total of 2GB of memory.

rt_garbage_collect() triggers and tries to cleanup things.

Eventually route cache is disabled but machine is under fire and might
OOM and crash.

This patch exploits the new TCP early demux, to set a nocache
boolean in case incoming TCP frame is for a not yet ESTABLISHED or
TIMEWAIT socket.

This 'nocache' boolean is then used in case dst entry is not found in
route cache, to create an unhashed dst entry (DST_NOCACHE)

SYN-cookie-ACK sent use a similar mechanism (ipv4: tcp: dont cache
output dst for syncookies), so after this patch, a machine is able to
absorb a DDOS synflood attack without polluting its IP route cache.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 93040ae5

include/net/protocol.h

+1 −1
Original line number Diff line number Diff line
@@ -37,7 +37,7 @@ 


/* This is used to register protocols. */

struct net_protocol {

	int			(*early_demux)(struct sk_buff *skb);

	int			(*early_demux)(struct sk_buff *skb, bool *nocache);

	int			(*handler)(struct sk_buff *skb);

	void			(*err_handler)(struct sk_buff *skb, u32 info);

	int			(*gso_send_check)(struct sk_buff *skb);

include/net/route.h

+4 −4
Original line number Diff line number Diff line
@@ -201,18 +201,18 @@ static inline struct rtable *ip_route_output_gre(struct net *net, struct flowi4 
}



extern int ip_route_input_common(struct sk_buff *skb, __be32 dst, __be32 src,

				 u8 tos, struct net_device *devin, bool noref);

				 u8 tos, struct net_device *devin, bool noref, bool nocache);



static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src,

				 u8 tos, struct net_device *devin)

{

	return ip_route_input_common(skb, dst, src, tos, devin, false);

	return ip_route_input_common(skb, dst, src, tos, devin, false, false);

}



static inline int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,

				       u8 tos, struct net_device *devin)

				       u8 tos, struct net_device *devin, bool nocache)

{

	return ip_route_input_common(skb, dst, src, tos, devin, true);

	return ip_route_input_common(skb, dst, src, tos, devin, true, nocache);

}



extern void ipv4_update_pmtu(struct sk_buff *skb, struct net *net, u32 mtu,

include/net/tcp.h

+1 −1
Original line number Diff line number Diff line
@@ -325,7 +325,7 @@ extern void tcp_v4_err(struct sk_buff *skb, u32); 


extern void tcp_shutdown (struct sock *sk, int how);



extern int tcp_v4_early_demux(struct sk_buff *skb);

extern int tcp_v4_early_demux(struct sk_buff *skb, bool *nocache);

extern int tcp_v4_rcv(struct sk_buff *skb);



extern struct inet_peer *tcp_v4_get_peer(struct sock *sk);

net/ipv4/arp.c

+1 −1
Original line number Diff line number Diff line
@@ -828,7 +828,7 @@ static int arp_process(struct sk_buff *skb) 
	}



	if (arp->ar_op == htons(ARPOP_REQUEST) &&

	    ip_route_input_noref(skb, tip, sip, 0, dev) == 0) {

	    ip_route_input_noref(skb, tip, sip, 0, dev, false) == 0) {



		rt = skb_rtable(skb);

		addr_type = rt->rt_type;

net/ipv4/ip_fragment.c

+1 −1
Original line number Diff line number Diff line
@@ -259,7 +259,7 @@ static void ip_expire(unsigned long arg) 
		skb_dst_drop(head);

		iph = ip_hdr(head);

		err = ip_route_input_noref(head, iph->daddr, iph->saddr,

					   iph->tos, head->dev);

					   iph->tos, head->dev, false);

		if (err)

			goto out_rcu_unlock;

CRA Git | Maintained and supported by SUSTech CRA and CCSE