iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net/ipv4
History
Eric Dumazet c074da2810 ipv4: tcp: dont cache unconfirmed intput dst 
DDOS synflood attacks hit badly IP route cache.

On typical machines, this cache is allowed to hold up to 8 Millions dst
entries, 256 bytes for each, for a total of 2GB of memory.

rt_garbage_collect() triggers and tries to cleanup things.

Eventually route cache is disabled but machine is under fire and might
OOM and crash.

This patch exploits the new TCP early demux, to set a nocache
boolean in case incoming TCP frame is for a not yet ESTABLISHED or
TIMEWAIT socket.

This 'nocache' boolean is then used in case dst entry is not found in
route cache, to create an unhashed dst entry (DST_NOCACHE)

SYN-cookie-ACK sent use a similar mechanism (ipv4: tcp: dont cache
output dst for syncookies), so after this patch, a machine is able to
absorb a DDOS synflood attack without polluting its IP route cache.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-27 15:34:24 -07:00
..
netfilter
netfilter: ipt_ULOG: Move away from NLMSG_PUT().
2012-06-26 21:30:49 -07:00
af_inet.c
ipv4: Early TCP socket demux.
2012-06-19 21:22:05 -07:00
ah4.c
ipv4: Handle PMTU in all ICMP error handlers.
2012-06-14 22:22:07 -07:00
arp.c
ipv4: tcp: dont cache unconfirmed intput dst
2012-06-27 15:34:24 -07:00
cipso_ipv4.c
ipv4: Convert call_rcu() to kfree_rcu(), drop opt_kfree_rcu()
2012-02-21 09:03:31 -08:00
datagram.c
ipv4: Lock socket and use cork flow in ip4_datagram_connect().
2011-05-08 13:48:57 -07:00
devinet.c
ipv4: Add interface option to enable routing of 127.0.0.0/8
2012-06-12 15:25:46 -07:00
esp4.c
ipv4: Handle PMTU in all ICMP error handlers.
2012-06-14 22:22:07 -07:00
fib_frontend.c
net: cleanup unsigned to unsigned int
2012-04-15 12:44:40 -04:00
fib_lookup.h
ipv4: Fix nexthop caching wrt. scoping.
2011-03-24 18:06:47 -07:00
fib_rules.c
ipv4: Stop using NLA_PUT*().
2012-04-02 04:33:43 -04:00
fib_semantics.c
ipv4: Cap ADVMSS metric in the FIB rather than the routing cache.
2012-06-17 19:47:34 -07:00
fib_trie.c
inet: Add inetpeer tree roots to the FIB tables.
2012-06-11 02:09:16 -07:00
gre.c
net: ipv4: Standardize prefixes for message logging
2012-03-12 17:05:21 -07:00
icmp.c
inet: Sanitize inet{,6} protocol demux.
2012-06-19 18:56:21 -07:00
igmp.c
ipv4: fix checkpatch errors
2012-04-15 12:37:19 -04:00
inet_connection_sock.c
ipv4: tcp: dont cache output dst for syncookies
2012-06-22 21:47:33 -07:00
inet_diag.c
inet_diag: Move away from NLMSG_PUT().
2012-06-26 21:28:54 -07:00
inet_fragment.c
inetpeer: add parameter net for inet_getpeer_v4,v6
2012-06-08 14:27:23 -07:00
inet_hashtables.c
ipv4: fix checkpatch errors
2012-04-15 12:37:19 -04:00
inet_lro.c
net: add skb frag size accessors
2011-10-19 03:10:46 -04:00
inet_timewait_sock.c
net: ipv4 and ipv6: Convert printk(KERN_DEBUG to pr_debug
2012-05-16 01:01:03 -04:00
inetpeer.c
inetpeer: inetpeer_invalidate_tree() cleanup
2012-06-20 14:38:55 -07:00
ip_forward.c
snmp: fix OutOctets counter to include forwarded datagrams
2012-06-07 14:50:56 -07:00
ip_fragment.c
ipv4: tcp: dont cache unconfirmed intput dst
2012-06-27 15:34:24 -07:00
ip_gre.c
ipv4: Handle PMTU in all ICMP error handlers.
2012-06-14 22:22:07 -07:00
ip_input.c
ipv4: tcp: dont cache unconfirmed intput dst
2012-06-27 15:34:24 -07:00
ip_options.c
net: Convert net_ratelimit uses to net_<level>_ratelimited
2012-05-15 13:45:03 -04:00
ip_output.c
net-next: add dev_loopback_xmit() to avoid duplicate code
2012-06-12 18:51:09 -07:00
ip_sockglue.c
net: IP_MULTICAST_IF setsockopt now recognizes struct mreq
2012-05-07 23:03:22 -04:00
ipcomp.c
ipv4: Handle PMTU in all ICMP error handlers.
2012-06-14 22:22:07 -07:00
ipconfig.c
net/ipv4/ipconfig: neaten __setup placement
2012-05-20 04:06:16 -04:00
ipip.c
ipv4: Handle PMTU in all ICMP error handlers.
2012-06-14 22:22:07 -07:00
ipmr.c
snmp: fix OutOctets counter to include forwarded datagrams
2012-06-07 14:50:56 -07:00
Kconfig
net: delete all instances of special processing for token ring
2012-05-15 20:14:35 -04:00
Makefile
tcp memory pressure controls
2011-12-12 19:04:10 -05:00
netfilter.c
net: Delete all remaining instances of ctl_path
2012-04-20 21:22:30 -04:00
ping.c
ipv4: Handle PMTU in all ICMP error handlers.
2012-06-14 22:22:07 -07:00
proc.c
tcp: reduce out_of_order memory use
2012-03-19 16:53:08 -04:00
protocol.c
inet: Sanitize inet{,6} protocol demux.
2012-06-19 18:56:21 -07:00
raw.c
ipv4: Handle PMTU in all ICMP error handlers.
2012-06-14 22:22:07 -07:00
route.c
ipv4: tcp: dont cache unconfirmed intput dst
2012-06-27 15:34:24 -07:00
syncookies.c
tcp: fix syncookie regression
2012-03-11 15:52:12 -07:00
sysctl_net_ipv4.c
ipv4: Add sysctl knob to control early socket demux
2012-06-22 17:11:13 -07:00
tcp_bic.c
tcp: fix undo after RTO for BIC
2012-01-20 14:17:26 -05:00
tcp_cong.c
tcp: bool conversions
2012-05-17 14:59:59 -04:00
tcp_cubic.c
tcp: fix undo after RTO for CUBIC
2012-01-20 14:17:26 -05:00
tcp_diag.c
inet_diag: Rename inet_diag_req into inet_diag_req_v2
2012-01-11 12:56:06 -08:00
tcp_highspeed.c
tcp: mark tcp_congestion_ops read_mostly
2011-03-10 00:40:17 -08:00
tcp_htcp.c
tcp: mark tcp_congestion_ops read_mostly
2011-03-10 00:40:17 -08:00
tcp_hybla.c
tcp: bool conversions
2012-05-17 14:59:59 -04:00
tcp_illinois.c
tcp: mark tcp_congestion_ops read_mostly
2011-03-10 00:40:17 -08:00
tcp_input.c
ipv4: Early TCP socket demux.
2012-06-19 21:22:05 -07:00
tcp_ipv4.c
ipv4: tcp: dont cache unconfirmed intput dst
2012-06-27 15:34:24 -07:00
tcp_lp.c
Fix common misspellings
2011-03-31 11:26:23 -03:00
tcp_memcontrol.c
memcg: decrement static keys at real destroy time
2012-05-29 16:22:28 -07:00
tcp_minisocks.c
ipv4: Early TCP socket demux.
2012-06-19 21:22:05 -07:00
tcp_output.c
tcp: tcp_make_synack() consumes dst parameter
2012-06-04 11:27:39 -04:00
tcp_probe.c
net: cleanup unsigned to unsigned int
2012-04-15 12:44:40 -04:00
tcp_scalable.c
tcp: mark tcp_congestion_ops read_mostly
2011-03-10 00:40:17 -08:00
tcp_timer.c
tcp: early retransmit: delayed fast retransmit
2012-05-02 20:56:10 -04:00
tcp_vegas.c
tcp: mark tcp_congestion_ops read_mostly
2011-03-10 00:40:17 -08:00
tcp_vegas.h
tcp_veno.c
tcp: mark tcp_congestion_ops read_mostly
2011-03-10 00:40:17 -08:00
tcp_westwood.c
tcp: mark tcp_congestion_ops read_mostly
2011-03-10 00:40:17 -08:00
tcp_yeah.c
Fix common misspellings
2011-03-31 11:26:23 -03:00
tcp.c
mm: add a low limit to alloc_large_system_hash
2012-05-24 00:28:21 -04:00
tunnel4.c
net: Convert printks to pr_<level>
2012-03-11 23:42:51 -07:00
udp_diag.c
udp_diag: implement idiag_get_info for udp/udplite to get queue information
2012-04-25 20:43:01 -04:00
udp_impl.h
ipv4: fix checkpatch errors
2012-04-15 12:37:19 -04:00
udp.c
ipv4: Handle PMTU in all ICMP error handlers.
2012-06-14 22:22:07 -07:00
udplite.c
net: ipv4: Standardize prefixes for message logging
2012-03-12 17:05:21 -07:00
xfrm4_input.c
ipv4: tcp: dont cache unconfirmed intput dst
2012-06-27 15:34:24 -07:00
xfrm4_mode_beet.c
ipsec: be careful of non existing mac headers
2012-02-23 16:50:45 -05:00
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
ipsec: be careful of non existing mac headers
2012-02-23 16:50:45 -05:00
xfrm4_output.c
xfrm4: Don't call icmp_send on local error
2011-07-01 17:33:19 -07:00
xfrm4_policy.c
inet: Hide route peer accesses behind helpers.
2012-06-11 02:08:47 -07:00
xfrm4_state.c
net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules
2011-10-31 19:30:30 -04:00
xfrm4_tunnel.c
net: ipv4: Standardize prefixes for message logging
2012-03-12 17:05:21 -07:00