linux/net
Eric Dumazet c074da2810 ipv4: tcp: dont cache unconfirmed intput dst
DDOS synflood attacks hit badly IP route cache.

On typical machines, this cache is allowed to hold up to 8 Millions dst
entries, 256 bytes for each, for a total of 2GB of memory.

rt_garbage_collect() triggers and tries to cleanup things.

Eventually route cache is disabled but machine is under fire and might
OOM and crash.

This patch exploits the new TCP early demux, to set a nocache
boolean in case incoming TCP frame is for a not yet ESTABLISHED or
TIMEWAIT socket.

This 'nocache' boolean is then used in case dst entry is not found in
route cache, to create an unhashed dst entry (DST_NOCACHE)

SYN-cookie-ACK sent use a similar mechanism (ipv4: tcp: dont cache
output dst for syncookies), so after this patch, a machine is able to
absorb a DDOS synflood attack without polluting its IP route cache.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-06-27 15:34:24 -07:00
..
9p net/9p: Add __force to cast of __user pointer 2012-06-04 13:51:17 -04:00
802 tokenring: delete all remaining driver support 2012-05-15 20:23:16 -04:00
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-05-16 22:17:37 -04:00
appletalk appletalk: Remove out of date message in printk 2012-06-07 13:11:59 -07:00
atm net: Remove casts to same type 2012-06-04 11:45:11 -04:00
ax25 net: use consume_skb() in place of kfree_skb() 2012-06-04 11:27:40 -04:00
batman-adv batman-adv: fix global TT entry deletion 2012-06-25 23:54:32 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-06-25 15:50:32 -07:00
bridge netfilter: ebt_ulog: Move away from NLMSG_PUT(). 2012-06-26 21:23:42 -07:00
caif caif: Fixed potential memory leak 2012-06-25 16:44:11 -07:00
can canfd: add support for CAN FD in CAN_RAW sockets 2012-06-19 21:40:08 +02:00
ceph Merge git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2012-05-30 11:17:19 -07:00
core ipv4: Early TCP socket demux. 2012-06-19 21:22:05 -07:00
dcb net: dcb: fix small regression in __dcbnl_pg_setcfg() 2012-06-21 15:06:00 -07:00
dccp ipv4: tcp: dont cache output dst for syncookies 2012-06-22 21:47:33 -07:00
decnet decnet: dn_table: Move away from NLMSG_NEW(). 2012-06-26 21:54:15 -07:00
dns_resolver Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-05-21 20:27:36 -07:00
dsa dsa: Convert compare_ether_addr to ether_addr_equal 2012-05-09 20:49:19 -04:00
ethernet net, drivers/net: Convert compare_ether_addr_64bits to ether_addr_equal_64bits 2012-05-10 23:33:01 -04:00
ieee802154 6lowpan: double unlock on an error path 2012-06-27 01:16:45 -07:00
ipv4 ipv4: tcp: dont cache unconfirmed intput dst 2012-06-27 15:34:24 -07:00
ipv6 net/ipv6/route.c: packets originating on device match lo 2012-06-25 23:54:32 -07:00
ipx ipx: Remove spurious NULL checking in ipx_ioctl(). 2012-05-19 00:51:04 -04:00
irda net: Remove casts to same type 2012-06-04 11:45:11 -04:00
iucv net: remove skb_orphan_try() 2012-06-15 15:30:15 -07:00
key net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-06-12 21:59:18 -07:00
lapb lapb: Neaten debugging 2012-05-17 18:45:20 -04:00
llc net: include/net/sock.h cleanup 2012-05-17 04:50:21 -04:00
mac80211 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2012-06-19 14:41:22 -04:00
mac802154 mac802154: add monitor listener to TX datapath 2012-06-26 21:06:33 -07:00
netfilter netfilter: nfnetlink_queue_core: Move away from NLMSG_PUT(). 2012-06-26 21:35:27 -07:00
netlabel netlabel: use GFP flags from caller instead of GFP_ATOMIC 2012-03-22 19:29:57 -04:00
netlink genetlink: Build a generic netlink family module alias 2012-05-29 22:33:56 -04:00
netrom net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-06-12 21:59:18 -07:00
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-05-16 22:17:37 -04:00
packet af_packet: use sizeof instead of constant in spkt_device 2012-06-11 16:51:51 -07:00
phonet net: remove my future former mail address 2012-06-17 16:29:38 -07:00
rds rds_rdma: don't assume infiniband device is PCI 2012-05-29 17:30:07 -04:00
rfkill rfkill: Add the capability to switch all devices of all type in __rfkill_switch_all(). 2012-06-06 15:18:17 -04:00
rose net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
rxrpc ipv4: Kill ip_rt_frag_needed(). 2012-06-11 02:08:59 -07:00
sched pkt_sched: sch_api: Move away from NLMSG_NEW(). 2012-06-26 21:54:15 -07:00
sctp sctp: fix warning when compiling without IPv6 2012-06-19 00:26:26 -07:00
sunrpc Merge branch 'for-3.5' of git://linux-nfs.org/~bfields/linux 2012-06-01 08:32:58 -07:00
tipc net: Remove casts to same type 2012-06-04 11:45:11 -04:00
unix unix_diag: Move away from NLMSG_PUT(). 2012-06-26 21:41:00 -07:00
wanrouter net/wanrouter: Deprecate and schedule for removal 2012-05-24 16:22:53 -04:00
wimax net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2012-06-13 15:35:35 -04:00
x25 net: add a limit parameter to sk_add_backlog() 2012-04-23 22:28:28 -04:00
xfrm ipv6: fix incorrect ipsec fragment 2012-05-27 01:11:22 -04:00
compat.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-05-21 20:27:36 -07:00
Kconfig net: drop NET dependency from HAVE_BPF_JIT 2012-05-21 12:50:12 -07:00
Makefile econet: remove ancient bug ridden protocol 2012-05-18 01:35:08 -04:00
nonet.c
socket.c Merge branch 'for-3.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2012-05-22 17:37:47 -07:00
sysctl_net.c net: delete all instances of special processing for token ring 2012-05-15 20:14:35 -04:00