diff options
| -rw-r--r-- | sys/netinet/tcp.h | 8 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 59 | ||||
| -rw-r--r-- | sys/netinet/tcp_reass.c | 59 | ||||
| -rw-r--r-- | sys/netinet/tcp_subr.c | 12 | ||||
| -rw-r--r-- | sys/netinet/tcp_timewait.c | 12 | ||||
| -rw-r--r-- | sys/netinet/tcp_usrreq.c | 5 | ||||
| -rw-r--r-- | sys/netinet/tcp_var.h | 5 |
7 files changed, 0 insertions, 160 deletions
diff --git a/sys/netinet/tcp.h b/sys/netinet/tcp.h index 3f744fb..048c63e 100644 --- a/sys/netinet/tcp.h +++ b/sys/netinet/tcp.h @@ -124,14 +124,6 @@ struct tcphdr { * Setting this to "0" disables the minmss check. */ #define TCP_MINMSS 216 -/* - * TCP_MINMSSOVERLOAD is defined to be 1000 which should cover any type - * of interactive TCP session. - * See tcp_subr.c tcp_minmssoverload SYSCTL declaration and tcp_input.c - * for more comments. - * Setting this to "0" disables the minmssoverload check. - */ -#define TCP_MINMSSOVERLOAD 0 /* XXX: Disabled until refined */ /* * Default maximum segment size for TCP6. diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index ba3eb78..b944272 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1048,65 +1048,6 @@ after_listen: KASSERT(tp->t_state != TCPS_LISTEN, ("tcp_input: TCPS_LISTEN")); /* - * This is the second part of the MSS DoS prevention code (after - * minmss on the sending side) and it deals with too many too small - * tcp packets in a too short timeframe (1 second). - * - * For every full second we count the number of received packets - * and bytes. If we get a lot of packets per second for this connection - * (tcp_minmssoverload) we take a closer look at it and compute the - * average packet size for the past second. If that is less than - * tcp_minmss we get too many packets with very small payload which - * is not good and burdens our system (and every packet generates - * a wakeup to the process connected to our socket). We can reasonable - * expect this to be small packet DoS attack to exhaust our CPU - * cycles. - * - * Care has to be taken for the minimum packet overload value. This - * value defines the minimum number of packets per second before we - * start to worry. This must not be too low to avoid killing for - * example interactive connections with many small packets like - * telnet or SSH. - * - * Setting either tcp_minmssoverload or tcp_minmss to "0" disables - * this check. - * - * Account for packet if payload packet, skip over ACK, etc. - */ - if (tcp_minmss && tcp_minmssoverload && - tp->t_state == TCPS_ESTABLISHED && tlen > 0) { - if ((unsigned int)(tp->rcv_second - ticks) < hz) { - tp->rcv_pps++; - tp->rcv_byps += tlen + off; - if (tp->rcv_pps > tcp_minmssoverload) { - if ((tp->rcv_byps / tp->rcv_pps) < tcp_minmss) { - printf("too many small tcp packets from " - "%s:%u, av. %lubyte/packet, " - "dropping connection\n", -#ifdef INET6 - isipv6 ? - ip6_sprintf(ip6buf, - &inp->inp_inc.inc6_faddr) : -#endif - inet_ntoa(inp->inp_inc.inc_faddr), - inp->inp_inc.inc_fport, - tp->rcv_byps / tp->rcv_pps); - KASSERT(headlocked, ("tcp_input: " - "after_listen: tcp_drop: head " - "not locked")); - tp = tcp_drop(tp, ECONNRESET); - tcpstat.tcps_minmssdrops++; - goto drop; - } - } - } else { - tp->rcv_second = ticks + hz; - tp->rcv_pps = 1; - tp->rcv_byps = tlen + off; - } - } - - /* * Segment received on connection. * Reset idle time and keep-alive timer. */ diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index ba3eb78..b944272 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -1048,65 +1048,6 @@ after_listen: KASSERT(tp->t_state != TCPS_LISTEN, ("tcp_input: TCPS_LISTEN")); /* - * This is the second part of the MSS DoS prevention code (after - * minmss on the sending side) and it deals with too many too small - * tcp packets in a too short timeframe (1 second). - * - * For every full second we count the number of received packets - * and bytes. If we get a lot of packets per second for this connection - * (tcp_minmssoverload) we take a closer look at it and compute the - * average packet size for the past second. If that is less than - * tcp_minmss we get too many packets with very small payload which - * is not good and burdens our system (and every packet generates - * a wakeup to the process connected to our socket). We can reasonable - * expect this to be small packet DoS attack to exhaust our CPU - * cycles. - * - * Care has to be taken for the minimum packet overload value. This - * value defines the minimum number of packets per second before we - * start to worry. This must not be too low to avoid killing for - * example interactive connections with many small packets like - * telnet or SSH. - * - * Setting either tcp_minmssoverload or tcp_minmss to "0" disables - * this check. - * - * Account for packet if payload packet, skip over ACK, etc. - */ - if (tcp_minmss && tcp_minmssoverload && - tp->t_state == TCPS_ESTABLISHED && tlen > 0) { - if ((unsigned int)(tp->rcv_second - ticks) < hz) { - tp->rcv_pps++; - tp->rcv_byps += tlen + off; - if (tp->rcv_pps > tcp_minmssoverload) { - if ((tp->rcv_byps / tp->rcv_pps) < tcp_minmss) { - printf("too many small tcp packets from " - "%s:%u, av. %lubyte/packet, " - "dropping connection\n", -#ifdef INET6 - isipv6 ? - ip6_sprintf(ip6buf, - &inp->inp_inc.inc6_faddr) : -#endif - inet_ntoa(inp->inp_inc.inc_faddr), - inp->inp_inc.inc_fport, - tp->rcv_byps / tp->rcv_pps); - KASSERT(headlocked, ("tcp_input: " - "after_listen: tcp_drop: head " - "not locked")); - tp = tcp_drop(tp, ECONNRESET); - tcpstat.tcps_minmssdrops++; - goto drop; - } - } - } else { - tp->rcv_second = ticks + hz; - tp->rcv_pps = 1; - tp->rcv_byps = tlen + off; - } - } - - /* * Segment received on connection. * Reset idle time and keep-alive timer. */ diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index de0cfee..2f1e385 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -137,18 +137,6 @@ SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt, int tcp_minmss = TCP_MINMSS; SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW, &tcp_minmss , 0, "Minmum TCP Maximum Segment Size"); -/* - * Number of TCP segments per second we accept from remote host - * before we start to calculate average segment size. If average - * segment size drops below the minimum TCP MSS we assume a DoS - * attack and reset+drop the connection. Care has to be taken not to - * set this value too small to not kill interactive type connections - * (telnet, SSH) which send many small packets. - */ -int tcp_minmssoverload = TCP_MINMSSOVERLOAD; -SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmssoverload, CTLFLAG_RW, - &tcp_minmssoverload , 0, - "Number of TCP Segments per Second allowed to be under the MINMSS Size"); int tcp_do_rfc1323 = 1; SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW, diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index de0cfee..2f1e385 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -137,18 +137,6 @@ SYSCTL_INT(_net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt, int tcp_minmss = TCP_MINMSS; SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmss, CTLFLAG_RW, &tcp_minmss , 0, "Minmum TCP Maximum Segment Size"); -/* - * Number of TCP segments per second we accept from remote host - * before we start to calculate average segment size. If average - * segment size drops below the minimum TCP MSS we assume a DoS - * attack and reset+drop the connection. Care has to be taken not to - * set this value too small to not kill interactive type connections - * (telnet, SSH) which send many small packets. - */ -int tcp_minmssoverload = TCP_MINMSSOVERLOAD; -SYSCTL_INT(_net_inet_tcp, OID_AUTO, minmssoverload, CTLFLAG_RW, - &tcp_minmssoverload , 0, - "Number of TCP Segments per Second allowed to be under the MINMSS Size"); int tcp_do_rfc1323 = 1; SYSCTL_INT(_net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323, CTLFLAG_RW, diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 57195a4..da1b876 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -1874,11 +1874,6 @@ db_print_tcpcb(struct tcpcb *tp, const char *name, int indent) tp->snd_recover_prev, tp->t_badrxtwin); db_print_indent(indent); - db_printf("snd_limited: %u rcv_second: %lu rcv_pps: %lu " - "tcv_byps: %lu\n", tp->snd_limited, tp->rcv_second, tp->rcv_pps, - tp->rcv_byps); - - db_print_indent(indent); db_printf("sack_enable: %d snd_numholes: %d snd_holes first: %p\n", tp->sack_enable, tp->snd_numholes, TAILQ_FIRST(&tp->snd_holes)); diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index 6dc20d4..0770412 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -186,10 +186,6 @@ struct tcpcb { tcp_seq snd_recover_prev; /* snd_recover prior to retransmit */ u_long t_badrxtwin; /* window for retransmit recovery */ u_char snd_limited; /* segments limited transmitted */ -/* anti DoS counters */ - u_long rcv_second; /* start of interval second */ - u_long rcv_pps; /* received packets per second */ - u_long rcv_byps; /* received bytes per second */ /* SACK related state */ int sack_enable; /* enable SACK for this connection */ int snd_numholes; /* number of holes seen by sender */ @@ -493,7 +489,6 @@ extern struct inpcbinfo tcbinfo; extern struct tcpstat tcpstat; /* tcp statistics */ extern int tcp_mssdflt; /* XXX */ extern int tcp_minmss; -extern int tcp_minmssoverload; extern int tcp_delack_enabled; extern int tcp_do_newreno; extern int path_mtu_discovery; |
