Re: [PATCH net-next] ipv4: tcp: dont cache unconfirmed intput dst

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Date: Wed, 27 Jun 2012 11:14:15 +0200

> From: Eric Dumazet <edumazet@xxxxxxxxxx>
> DDOS synflood attacks hit badly IP route cache.
> On typical machines, this cache is allowed to hold up to 8 Millions dst
> entries, 256 bytes for each, for a total of 2GB of memory.
> rt_garbage_collect() triggers and tries to cleanup things.
> Eventually route cache is disabled but machine is under fire and might
> OOM and crash.
> This patch exploits the new TCP early demux, to set a nocache
> boolean in case incoming TCP frame is for a not yet ESTABLISHED or
> TIMEWAIT socket.
> This 'nocache' boolean is then used in case dst entry is not found in
> route cache, to create an unhashed dst entry (DST_NOCACHE)
> SYN-cookie-ACK sent use a similar mechanism (ipv4: tcp: dont cache
> output dst for syncookies), so after this patch, a machine is able to
> absorb a DDOS synflood attack without polluting its IP route cache.
> Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>

Applied, thanks Eric.
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Linux Kernel Discussion]     [Ethernet Bridging]     [Linux Wireless Networking]     [Linux Bluetooth Networking]     [Linux Networking Users]     [VLAN]     [Git]     [IETF Annouce]     [Linux Assembly]     [Security]     [Bugtraq]     [Photo]     [Singles Social Networking]     [Yosemite Information]     [MIPS Linux]     [ARM Linux Kernel]     [ARM Linux]     [Linux Virtualization]     [Linux Security]     [Linux IDE]     [Linux RAID]     [Linux SCSI]     [Free Dating]

Add to Google Powered by Linux