Page MenuHomeFreeBSD

tcp: filter small SACK blocks
ClosedPublic

Authored by rscheff on May 3 2024, 10:48 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 9, 1:24 AM
Unknown Object (File)
Thu, Nov 28, 5:50 PM
Unknown Object (File)
Thu, Nov 28, 5:50 PM
Unknown Object (File)
Thu, Nov 28, 5:50 PM
Unknown Object (File)
Thu, Nov 28, 5:50 PM
Unknown Object (File)
Thu, Nov 28, 5:29 PM
Unknown Object (File)
Nov 22 2024, 7:32 PM
Unknown Object (File)
Nov 18 2024, 10:16 AM
Subscribers

Details

Summary

While the SACK Scoreboard in the base stack limits
the number of holes by default to only 128 per connection
in order to prevent CPU load attacks by splitting SACKs,
filtering out SACK blocks of unusually small size can
further improve the actual processing of SACK loss recovery.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

I'm wondering if it would be better to require that the sack block covers at least mss - 40 bytes. We don't know if we sent a SACK or AccECN option and it doesn't make sense to ignore the SACK blocks corresponding to such packets we sent not performing an attack.

  • filter out any segments smaller than the current maxseg size minus maximum tcp header options
This revision is now accepted and ready to land.May 7 2024, 5:55 PM
This revision was automatically updated to reflect the committed changes.