Sending to developer too...
> On Aug 15, 2018, at 9:41 AM, Bob Friesenhahn <[email protected]>
> wrote:
>
> Is the Illumos IP stack known to suffer from IP and/or TCP segment reassembly
> DOS problems as FreeBSD and Linux have recently been found to have?
I had early access to a PoC, but could not make it cause obvious pain. BUT...
> The situation must be pretty bad, with this advisement coming out about
> FreeBSD TCP reassembly:
>
> "As a workaround, system administrators should configure their systems
> to only accept TCP connections from trusted end-stations, if it is
> possible to do so.".
>
> I have seen advisements to disable IP reassembly entirely and severely
> curtail TCP re-assembly.
... I'm going to advise CAUTION. PLEASE folks, report here if you're seeing
any spikes in traffic or latency to indicate this. I'm concerned about this.
Here's a first-cut D script to monitor these:
dtrace -n 'tcp_reass:entry { self->tcp_reass = timestamp; } tcp_reass:return
/self->tcp_reass != 0/ { @times["tcpreass"] = quantize(timestamp -
self->tcp_reass); self->tcp_reass = 0;} ip_reassemble:entry {
self->ip_reassemble = timestamp; } ip_reassemble:entry / self->ip_reassemble !=
0/ { @times["ipreass"] = quantize(timestamp - self->ip_reassemble);
self->ip_reassemble =0;} tick-10s {printa(@times);}'
Thanks,
Dan
------------------------------------------
illumos: illumos-discuss
Permalink:
https://illumos.topicbox.com/groups/discuss/T1b175e13613c3ce2-M92bb641ff3e77bfcbf972610
Delivery options: https://illumos.topicbox.com/groups/discuss/subscription
