Maintained by: NLnet Labs

[Unbound-users] unbound closes receive socket => udp probes

W.C.A. Wijngaards
Mon Jul 29 16:51:46 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ilya,

On 07/29/2013 03:44 PM, Ilya Bakulin wrote:
> Hi Wouter,
> 
> On Monday 08 July 2013 16:25:19 W.C.A. Wijngaards wrote:
>> So, although I understand this ICMP port closed is troublesome, I
>> do not know how to get rid of it.  Is there something I can tell
>> the kernel that stops the ICMP port closed (for UDP)?  Should
>> unbound listen to raw sockets and somehow remove the packet
>> destined for an old port (but what if someone runs 'dig' and it
>> uses a random port that unbound just previously used?).
> 
> yes you're right, the "right" fix is really complicated; therefore
> it is actually wrong.
> 
> We have another suggestion, that may help -- adding some constant
> value to the calculated RTT. This will slow the rps rate, but at
> least eliminate ICMP flood in cases when there are some
> fluctuations in the network that cause answers to arrive a bit
> slower. I have tried to find a right place in the code to add this,
> but seems I haven't succeed. Could you please help me?

util/rtt.h:
#define RTT_MIN_TIMEOUT 50
util/rtt.c:51:
        if(rto < RTT_MIN_TIMEOUT)

And in util/rtt.c:69
rtt_timeout(const struct rtt_info* rtt)
The timeout routine returns the actual timeout that is used to wait
for packets, here you could add +50 msec (if it is smaller than 50).

> I understand that this is also a kind of "hack" and it might not be
> committed, but we really don't have another choice -- there is no
> way to tell if there was a UDP probe attack or late answer from
> DNS...
> 
> Thank you for your time.

If this works well and does not impact normal users then we could
think to include the fix.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJR9oGCAAoJEJ9vHC1+BF+NvBUP/24ed3E3CsV0RlaCDxeM6AwL
6WD9A+V/x3cba5MJMUxU+U1AMRIi2JpgNNvtWw+WBJrMkWSZHtv696ngyECJpIrs
c7hlj+tKshyH3/MJKknVa6XKRJjMOOqlpQRl0x4DEbMmiQpY+Y0/DntW3dCNqoh0
DjVLGlz0IseXvcgMa9aW+yS73yVwa0GSQ3TbjZGxMTE5oWb6bmNdgTnj5qe8dAym
dSoYRCKejy2XsSJXcBR4L0VFQIKAtbduHCyOGiubaC44McK6GTNOxANCXv+jXv9A
K0UhTjLmKhNoS3od0k5quO51ebl/7pWC47Qn72QjpxhWowpICOfLw59xbjT3caQo
N4/cYMfzAIDFwuuULwFo5MbQMXREgHT5snMXgVKJBvF/9vx/+9J+g2l+6Sc7pTAd
l2yZ9ETFEsV23VEmXe4zqyatMLOgepn5Z1Z3hF8xLWg6BWPZqP2McBjTEZ48xOJU
uMM6lPD6JYBWFm9cv51Lv4WZqjo8fb0+ZkbaF5qoMBt2B2+XiCNaS5wlroG7fCP7
TUwsAx/1b6NSBdptmeAHIkdWrzU4qv4q1tDHWNnthNsPYoaDzSeKES4Xt/3bLvfm
OVNfuxiJXjvGB9YVXEuo6+5cB8ZQWvKUb6aYBSp7whPlTCeXqCDZrTKAsBkPqGri
WKewf5GW/3RclOYOTxLR
=wX0H
-----END PGP SIGNATURE-----