diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2024-08-30 11:14:08 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2024-08-30 11:14:08 -0700 |
| commit | 789ed80afa8c031bb125341a194e37aea71f1d46 (patch) | |
| tree | e38eeb8667c759140bd3e7a656d27006e3b27bc9 /include | |
| parent | b26b64493343659cce8bbffa358bf39e4f68bdec (diff) | |
| parent | f17bf505ff89595df5147755e51441632a5dc563 (diff) | |
Merge branch 'icmp-avoid-possible-side-channels-attacks'
Eric Dumazet says:
====================
icmp: avoid possible side-channels attacks
Keyu Man reminded us that linux ICMP rate limiting was still allowing
side-channels attacks.
Quoting the fine document [1]:
4.4 Private Source Port Scan Method
...
We can then use the same global ICMP rate limit as a side
channel to infer if such an ICMP message has been triggered. At
first glance, this method can work but at a low speed of one port
per second, due to the per-IP rate limit on ICMP messages.
Surprisingly, after we analyze the source code of the ICMP rate
limit implementation, we find that the global rate limit is checked
prior to the per-IP rate limit. This means that even if the per-IP
rate limit may eventually determine that no ICMP reply should be
sent, a packet is still subjected to the global rate limit check and one
token is deducted. Ironically, such a decision is consciously made
by Linux developers to avoid invoking the expensive check of the
per-IP rate limit [ 22], involving a search process to locate the per-IP
data structure.
This effectively means that the per-IP rate limit can be disre-
garded for the purpose of our side channel based scan, as it only
determines if the final ICMP reply is generated but has nothing to
do with the global rate limit counter decrement. As a result, we can
continue to use roughly the same scan method as efficient as before,
achieving 1,000 ports per second
...
This series :
1) Changes the order of the two rate limiters to fix the issue.
2-3) Make the 'host-wide' rate limiter a per-netns one.
[1]
Link: https://dl.acm.org/doi/pdf/10.1145/3372297.3417280
====================
Link: https://patch.msgid.link/20240829144641.3880376-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/ip.h | 5 | ||||
| -rw-r--r-- | include/net/netns/ipv4.h | 5 |
2 files changed, 6 insertions, 4 deletions
diff --git a/include/net/ip.h b/include/net/ip.h index c5606cadb1a5..1ee472fa8b37 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -794,9 +794,8 @@ static inline void ip_cmsg_recv(struct msghdr *msg, struct sk_buff *skb) ip_cmsg_recv_offset(msg, skb->sk, skb, 0, 0); } -bool icmp_global_allow(void); -extern int sysctl_icmp_msgs_per_sec; -extern int sysctl_icmp_msgs_burst; +bool icmp_global_allow(struct net *net); +void icmp_global_consume(struct net *net); #ifdef CONFIG_PROC_FS int ip_misc_proc_init(void); diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 5fcd61ada622..276f622f3516 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -122,7 +122,10 @@ struct netns_ipv4 { u8 sysctl_icmp_errors_use_inbound_ifaddr; int sysctl_icmp_ratelimit; int sysctl_icmp_ratemask; - + int sysctl_icmp_msgs_per_sec; + int sysctl_icmp_msgs_burst; + atomic_t icmp_global_credit; + u32 icmp_global_stamp; u32 ip_rt_min_pmtu; int ip_rt_mtu_expires; int ip_rt_min_advmss; |