Re: DDoS attack causing bad effect on conntrack searches

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Paul E. McKenney

Subject: Re: DDoS attack causing bad effect on conntrack searches

Date: Thursday, April 22, 2010 - 8:51 am

On Thu, Apr 22, 2010 at 04:53:49PM +0200, Eric Dumazet wrote:
quoted text> Le jeudi 22 avril 2010 à 16:36 +0200, Eric Dumazet a écrit :
> 
> > If one hash slot is under attack, then there is a bug somewhere.
> > 
> > If we cannot avoid this, we can fallback to a secure mode at the second
> > retry, and take the spinlock.
> > 
> > Tis way, most of lookups stay lockless (one pass), and some might take
> > the slot lock to avoid the possibility of a loop.
> > 
> > I suspect a bug elsewhere, quite frankly !
> > 
> > We have a chain that have an end pointer that doesnt match the expected
> > one.
> > 
> 
> On normal situation, we always finish the lookup :
> 
> 1) If we found the thing we were looking at.
> 
> 2) We get the list end (item not found), we then check if it is the
> expected end.
> 
> It is _not_ the expected end only if some writer deleted/inserted an
> element in _this_ chain during our lookup.

So this situation uses SLAB_DESTROY_BY_RCU to quickly recycle deleted
elements?  (Not obvious from the code, but my ignorance of the networking
code is such that many things in that part of the kernel are not obvious
to me, I am afraid.)

Otherwise, of course you would simply allow deleted elements to continue
pointing where they did previously, so that concurrent readers would not
miss anything.

Of course, the same potential might arise on insertion, but it is usually
OK to miss an element that was inserted after you started searching.

quoted text> Because our lookup is lockless, we then have to redo it because we might
> miss the object we are looking for.

Ah...  Is there also a resize operation?  Herbert did do a resizable
hash table recently, but I was under the impression that (1) it was in
some other part of the networking stack and (2) it avoided the need to
restart readers.

quoted text> If we can do the 'retry' a 10 times, it means the attacker was really
> clever enough to inject new packets (new conntracks) at the right
> moment, in the right hash chain, and this sounds so higly incredible
> that I cannot believe it at all :)

Or maybe the DoS attack is injecting so many new conntracks that a large
fraction of the hash chains are being modified at any given time?

							Thanx, Paul
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

DDoS attack causing bad effect on conntrack searches, Jesper Dangaard Brouer, (Thu Apr 22, 5:58 am)

Re: DDoS attack causing bad effect on conntrack searches, Changli Gao, (Thu Apr 22, 6:13 am)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Thu Apr 22, 6:17 am)

Re: DDoS attack causing bad effect on conntrack searches, Jesper Dangaard Brouer, (Thu Apr 22, 6:31 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Thu Apr 22, 7:36 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Thu Apr 22, 7:53 am)

Re: DDoS attack causing bad effect on conntrack searches, Paul E. McKenney, (Thu Apr 22, 8:51 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Thu Apr 22, 9:02 am)

Re: DDoS attack causing bad effect on conntrack searches, Paul E. McKenney, (Thu Apr 22, 9:34 am)

Re: DDoS attack causing bad effect on conntrack searches, Jesper Dangaard Brouer, (Thu Apr 22, 1:38 pm)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Thu Apr 22, 2:03 pm)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Thu Apr 22, 2:14 pm)

Re: DDoS attack causing bad effect on conntrack searches, Jesper Dangaard Brouer, (Thu Apr 22, 2:28 pm)

Re: DDoS attack causing bad effect on conntrack searches, David Miller, (Thu Apr 22, 4:44 pm)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Thu Apr 22, 10:44 pm)

Re: DDoS attack causing bad effect on conntrack searches, Jan Engelhardt, (Fri Apr 23, 12:23 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Fri Apr 23, 12:46 am)

Re: DDoS attack causing bad effect on conntrack searches, Jan Engelhardt, (Fri Apr 23, 12:55 am)

Re: DDoS attack causing bad effect on conntrack searches, David Miller, (Fri Apr 23, 1:13 am)

Re: DDoS attack causing bad effect on conntrack searches, David Miller, (Fri Apr 23, 1:18 am)

Re: DDoS attack causing bad effect on conntrack searches, Jesper Dangaard Brouer, (Fri Apr 23, 1:40 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Fri Apr 23, 2:23 am)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Fri Apr 23, 3:35 am)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Fri Apr 23, 3:36 am)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Fri Apr 23, 3:55 am)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Fri Apr 23, 3:56 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Fri Apr 23, 4:05 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Fri Apr 23, 4:06 am)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Fri Apr 23, 4:06 am)

Re: DDoS attack causing bad effect on conntrack searches, Jesper Dangaard Brouer, (Fri Apr 23, 5:45 am)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Fri Apr 23, 6:57 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Fri Apr 23, 1:57 pm)

Re: DDoS attack causing bad effect on conntrack searches, Jesper Dangaard Brouer, (Sat Apr 24, 4:11 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Sat Apr 24, 1:11 pm)

Re: DDoS attack causing bad effect on conntrack searches, Jesper Dangaard Brouer, (Mon Apr 26, 7:36 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Mon May 31, 2:21 pm)

Re: DDoS attack causing bad effect on conntrack searches, Changli Gao, (Mon May 31, 5:28 pm)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Mon May 31, 10:05 pm)

Re: DDoS attack causing bad effect on conntrack searches, Changli Gao, (Mon May 31, 10:48 pm)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Tue Jun 1, 3:18 am)

Re: DDoS attack causing bad effect on conntrack searches, Eric Dumazet, (Tue Jun 1, 3:31 am)

Re: DDoS attack causing bad effect on conntrack searches, Patrick McHardy, (Tue Jun 1, 3:41 am)

[RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untracked, Eric Dumazet, (Tue Jun 1, 9:20 am)

Re: [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untr ..., Patrick McHardy, (Fri Jun 4, 4:40 am)

Re: [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untr ..., Changli Gao, (Fri Jun 4, 5:10 am)

Re: [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untr ..., Patrick McHardy, (Fri Jun 4, 5:29 am)

Re: [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untr ..., Eric Dumazet, (Fri Jun 4, 5:36 am)

[PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit, Eric Dumazet, (Fri Jun 4, 9:25 am)

[PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking, Eric Dumazet, (Fri Jun 4, 1:15 pm)

Re: [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit, Patrick McHardy, (Tue Jun 8, 7:12 am)

Re: [PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking, Patrick McHardy, (Tue Jun 8, 7:29 am)

Re: [PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking, Eric Dumazet, (Tue Jun 8, 7:52 am)

Re: [PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking, Eric Dumazet, (Tue Jun 8, 8:12 am)

Re: [PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking, Patrick McHardy, (Wed Jun 9, 5:45 am)


linux-kernel:
Tejun Heo	Re: your mail
Ingo Molnar	Re: [patch] e1000=y && e1000e=m regression fix
Robert Richter	Re: [PATCH] oprofile: Implement Intel architectural perfmon support
Eli Cohen	Re: LRO num of frags limit
Pavel Machek	min_free_kbytes documentation, /proc/sys/vm docs
git:
Bill Lear	cpio command not found
Gary Yang	fatal: did you run git update-server-info on the server? mv post-update.sample pos...
Ben Schmidt	Getting the path right for git over SSH
Fredrik Kuivinen	Re: fatal: unable to create '.git/index': File exists
Laflen, Brandon (GE, Research)	RE: fatal: Unable to find remote helper for 'http'
linux-netdev:
Sage Weil	Re: [2/3] POHMELFS: Documentation.
Patrick McHardy	Re: [ANNOUNCE]: First release of nftables
Frans Pop	svc: failed to register lockdv1 RPC service (errno 97).
Sage Weil	Re: [2/3] POHMELFS: Documentation.
Eric Dumazet	Re: [PATCH] ipv4/route.c: respect prefsrc for local routes
openbsd-misc:
Paul M	Corrupted RAIDFrame device
nixlists	Re: OpenSMTPd actual development and integration
Steve Shockley	Re: Blocking Teamviewer
David Newman	Re: 4.2 and 4.3 BIND: masters_list does not work with masters option
Anders Langworthy	Re: What does your environment look like?
git-commits-head:
Linux Kernel Mailing List	Remove empty comment in acpi/power.c
Linux Kernel Mailing List	Linux 2.6.34-rc4
Linux Kernel Mailing List	swiotlb: replace architecture-specific swiotlb.h with linux/swiotlb.h
Linux Kernel Mailing List	x86 boot: only pick up additional EFI memmap if add_efi_memmap flag
Linux Kernel Mailing List	[ARM] 5269/1: ARMv7: Use -march=armv7-a as compiler flag