Re: [tcpm] mitigating TCP ACK loop ("ACK storm") DoS attacks
"Zimmermann, Alexander" <Alexander.Zimmermann@netapp.com> Tue, 10 February 2015 08:08 UTC
Return-Path: <Alexander.Zimmermann@netapp.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A709D1A0275 for <tcpm@ietfa.amsl.com>; Tue, 10 Feb 2015 00:08:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.311
X-Spam-Level:
X-Spam-Status: No, score=-8.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUrzOAFJr8-A for <tcpm@ietfa.amsl.com>; Tue, 10 Feb 2015 00:08:28 -0800 (PST)
Received: from mx141.netapp.com (mx141.netapp.com [216.240.21.12]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 651091A0173 for <tcpm@ietf.org>; Tue, 10 Feb 2015 00:08:28 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.09,548,1418112000"; d="asc'?scan'208";a="22867095"
Received: from hioexcmbx07-prd.hq.netapp.com ([10.122.105.40]) by mx141-out.netapp.com with ESMTP; 10 Feb 2015 00:03:27 -0800
Received: from HIOEXCMBX06-PRD.hq.netapp.com (10.122.105.39) by hioexcmbx07-prd.hq.netapp.com (10.122.105.40) with Microsoft SMTP Server (TLS) id 15.0.995.29; Tue, 10 Feb 2015 00:03:26 -0800
Received: from HIOEXCMBX06-PRD.hq.netapp.com ([::1]) by hioexcmbx06-prd.hq.netapp.com ([fe80::fd84:3b4:c925:550f%21]) with mapi id 15.00.0995.031; Tue, 10 Feb 2015 00:03:27 -0800
From: "Zimmermann, Alexander" <Alexander.Zimmermann@netapp.com>
To: Eddy Wesley <wes@mti-systems.com>, "tcpm@ietf.org" <tcpm@ietf.org>, Neal Cardwell <ncardwell@google.com>
Thread-Topic: [tcpm] mitigating TCP ACK loop ("ACK storm") DoS attacks
Thread-Index: AQHQRNby64zDLyB9ekq+ZyjM0ZzskZzqDIQA
Date: Tue, 10 Feb 2015 08:03:26 +0000
Message-ID: <C5E1B080-15EF-4194-9892-9B775A6DA2A4@netapp.com>
References: <CADVnQynQ07-=gzUGbBivua17guztXG7hF4u3gk9m1D+sYyB_Fw@mail.gmail.com>
In-Reply-To: <CADVnQynQ07-=gzUGbBivua17guztXG7hF4u3gk9m1D+sYyB_Fw@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.2070.6)
x-originating-ip: [10.120.60.35]
Content-Type: multipart/signed; boundary="Apple-Mail=_56FABF39-C409-4C36-8B10-5AA0BE1F4194"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpm/gqm57K2fmXB07A3Ei-wCy1gPIFw>
Subject: Re: [tcpm] mitigating TCP ACK loop ("ACK storm") DoS attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 08:08:35 -0000
Hi all, I discussed this patch a bit w/ Neal yesterday. It was not clear to me (and maybe shame on me) that exist cases in which TCP sends an (DUP)ACK in response to a pure ACK. Parts of this „problem“ belongs to RFC793 (see background below). It’s maybe a good opportunity to include some text about this in RFC793bis. BTW: Do we think as WG that 793bis is a good thing to do? And if the answer is yes, why do we not start an adoption call? Alex > Am 10.02.2015 um 03:11 schrieb Neal Cardwell <ncardwell@google.com>: > > TCP DoS scenarios involving ACK loops (aka "ACK storms" or "packet > wars") have come up previously on the TCPM list. For example, Anil > Agarwal brought them up in the Nov 2013 TCPM thread "TCP mismatched > sequence numbers issue" > > I wanted to mention that our TCP team at Google has recently submitted > a patch series for Linux that mitigates such attacks by rate-limiting > the dupacks that are sent in response to out-of-window incoming > packets. The code has been in use at Google and was recently merged > into the official Linux "net-next" tree, which means that it should > land in the next official Linux release. > > The patch series summary can be browsed at the following URL: > > http://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=f06535c599354816cfbc653ce8965804c7385c61 > > Below I'm including the cover letter summarizing the patch series, for > convenience/reference. > > We are interested to hear any feedback folks may have. > > Thanks! > > neal > > ============== > > tcp: mitigate TCP ACK loops due to out-of-window validation dupacks > > This patch series mitigates "ack loop" DoS scenarios by rate-limiting > outgoing duplicate ACKs sent in response to incoming "out of window" > segments. > > Background > ----------- > > There are several cases in which the TCP RFCs specify that a TCP > endpoint should send a pure duplicate ACK in response to a pure > duplicate ACK that appears to be invalid due to being "out of window": > > (1) RFC 793 (section 3.9, page 69) specifies that endpoints should > send a duplicate ACK in response to an ACK when the incoming > sequence number is invalid due to being outside the receive > window: "If an incoming segment is not acceptable, an > acknowledgment should be sent in reply". > > (2) RFC 793 (section 3.9, page 72) says: "If the ACK acknowledges > something not yet sent (SEG.ACK > SND.NXT) then send an ACK". > > (3) RFC 1323 (section 4.2.1, page 18) specifies that endpoints should > send a duplicate ACK in response to an ACK when the PAWS check for > the incoming timestamp value fails: "If .... SEG.TSval < TS.Recent > and if TS.Recent is valid ... Send an acknowledgement in reply" > > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] mitigating TCP ACK loop ("ACK storm") DoS … Neal Cardwell
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Zimmermann, Alexander
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Wesley Eddy
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Jeremy Harris
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Neal Cardwell
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Mirja Kühlewind
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Scharf, Michael (Michael)
- Re: [tcpm] mitigating TCP ACK loop ("ACK storm") … Eric Dumazet