diff options
author | Eric Dumazet <edumazet@google.com> | 2012-06-26 23:14:15 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-06-27 15:34:24 -0700 |
commit | c074da2810c118b3812f32d6754bd9ead2f169e7 (patch) | |
tree | 772c7fbb9da464f9afd6d56e9e610157ed665e8f /net/ipv4/xfrm4_input.c | |
parent | 93040ae5cc8dcc893eca4a4366dc8415af278edf (diff) |
ipv4: tcp: dont cache unconfirmed intput dst
DDOS synflood attacks hit badly IP route cache.
On typical machines, this cache is allowed to hold up to 8 Millions dst
entries, 256 bytes for each, for a total of 2GB of memory.
rt_garbage_collect() triggers and tries to cleanup things.
Eventually route cache is disabled but machine is under fire and might
OOM and crash.
This patch exploits the new TCP early demux, to set a nocache
boolean in case incoming TCP frame is for a not yet ESTABLISHED or
TIMEWAIT socket.
This 'nocache' boolean is then used in case dst entry is not found in
route cache, to create an unhashed dst entry (DST_NOCACHE)
SYN-cookie-ACK sent use a similar mechanism (ipv4: tcp: dont cache
output dst for syncookies), so after this patch, a machine is able to
absorb a DDOS synflood attack without polluting its IP route cache.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/xfrm4_input.c')
-rw-r--r-- | net/ipv4/xfrm4_input.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c index 06814b6216d..eee636b191b 100644 --- a/net/ipv4/xfrm4_input.c +++ b/net/ipv4/xfrm4_input.c @@ -28,7 +28,7 @@ static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb) const struct iphdr *iph = ip_hdr(skb); if (ip_route_input_noref(skb, iph->daddr, iph->saddr, - iph->tos, skb->dev)) + iph->tos, skb->dev, false)) goto drop; } return dst_input(skb); |