Under SYN Flood, the TCP stack generates SYN Cookie to remain stateless
for the connection request until a valid ACK is responded to the SYN+ACK.
The cookie contains two kinds of host-specific bits, a timestamp and
secrets, so only can it be validated by the generator. It means SYN
Cookie consumes network resources between the client and the server;
intermediate nodes must remember which nodes to route ACK for the cookie.
SYN Proxy reduces such unwanted resource allocation by handling 3WHS at
the edge network. After SYN Proxy completes 3WHS, it forwards SYN to the
backend server and completes another 3WHS. However, since the server's
ISN differs from the cookie, the proxy must manage the ISN mappings and
fix up SEQ/ACK numbers in every packet for each connection. If a proxy
node is down, all the connections through it are also down. Keeping a
state at proxy is painful from that perspective.
At AWS, we use a dirty hack to build truly stateless SYN Proxy at scale.
Our SYN Proxy consists of the front proxy layer and the backend kernel
module. (See slides of netconf [0], p6 - p15)
The cookie that SYN Proxy generates differs from the kernel's cookie in
that it contains a secret (called rolling salt) (i) shared by all the proxy
nodes so that any node can validate ACK and (ii) updated periodically so
that old cookies cannot be validated. Also, ISN contains WScale, SACK, and
ECN, not in TS val. This is not to sacrifice any connection quality, where
some customers turn off the timestamp option due to retro CVE.
After 3WHS, the proxy restores SYN and forwards it and ACK to the backend
server. Our kernel module works at Netfilter input/output hooks and first
feeds SYN to the TCP stack to initiate 3WHS. When the module is triggered
for SYN+ACK, it looks up the corresponding request socket and overwrites
tcp_rsk(req)->snt_isn with the proxy's cookie. Then, the module can
complete 3WHS with the original ACK as is.
This way, our SYN Proxy does not manage the ISN mappings and can stay
stateless. It's working very well for high-bandwidth services like
multiple Tbps, but we are looking for a way to drop the dirty hack and
further optimise the sequences.
If we could validate an arbitrary SYN Cookie on the backend server with
BPF, the proxy would need not restore SYN nor pass it. After validating
ACK, the proxy node just needs to forward it, and then the server can do
the lightweight validation (e.g. check if ACK came from proxy nodes, etc)
and create a connection from the ACK.
This series adds two SOCK_OPS hooks to generate and validate arbitrary
SYN Cookie. Each hook is invoked if BPF_SOCK_OPS_SYNCOOKIE_CB_FLAG is
set to the listening socket in advance by bpf_sock_ops_cb_flags_set().
The user interface looks like this:
BPF_SOCK_OPS_GEN_SYNCOOKIE_CB
input
|- bpf_sock_ops.sk : 4-tuple
|- bpf_sock_ops.skb : TCP header
|- bpf_sock_ops.args[0] : MSS
`- bpf_sock_ops.args[1] : BPF_SYNCOOKIE_XXX flags
output
|- bpf_sock_ops.replylong[0] : ISN (SYN Cookie) ------.
`- bpf_sock_ops.replylong[1] : TS value -----------. |
| |
BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB | |
| |
input | |
|- bpf_sock_ops.sk : 4-tuple | |
|- bpf_sock_ops.skb : TCP header | |
|- bpf_sock_ops.args[0] : ISN (SYN Cookie) <-----'
`- bpf_sock_ops.args[1] : TS value <----------'
output
|- bpf_sock_ops.replylong[0] : MSS
`- bpf_sock_ops.replylong[1] : BPF_SYNCOOKIE_XXX flags
To establish a connection from SYN Cookie, BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB
hook must set a valid MSS to bpf_sock_ops.replylong[0], meaning that
BPF_SOCK_OPS_GEN_SYNCOOKIE_CB hook must encode MSS to ISN or TS val to be
restored in the validation hook.
If WScale, SACK, and ECN are detected to be available in SYN packet, the
corresponding flags are passed to args[0] of BPF_SOCK_OPS_GEN_SYNCOOKIE_CB
so that bpf prog need not parse the TCP header. The same flags can be set
to replylong[0] of BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB to enable each feature
on the connection.
For details, please see each patch. Here's an overview:
patch 1 - 4 : Misc cleanup
patch 5, 6 : Add SOCK_OPS hook (only ISN is available here)
patch 7, 8 : Make TS val available as the second cookie storage
patch 9, 10 : Make WScale, SACK, and ECN configurable from ACK
patch 11 : selftest, need some help from BPF experts...
[0]: https://netdev.bots.linux.dev/netconf/2023/kuniyuki.pdf
Kuniyuki Iwashima (11):
tcp: Clean up reverse xmas tree in cookie_v[46]_check().
tcp: Cache sock_net(sk) in cookie_v[46]_check().
tcp: Clean up goto labels in cookie_v[46]_check().
tcp: Don't initialise tp->tsoffset in tcp_get_cookie_sock().
bpf: tcp: Add SYN Cookie generation SOCK_OPS hook.
bpf: tcp: Add SYN Cookie validation SOCK_OPS hook.
bpf: Make bpf_sock_ops.replylong[1] writable.
bpf: tcp: Make TS available for SYN Cookie storage.
tcp: Split cookie_ecn_ok().
bpf: tcp: Make WS, SACK, ECN configurable from BPF SYN Cookie.
selftest: bpf: Test BPF_SOCK_OPS_(GEN|CHECK)_SYNCOOKIE_CB.
include/net/inet_sock.h | 4 +-
include/net/tcp.h | 46 +++-
include/uapi/linux/bpf.h | 52 ++++-
net/core/filter.c | 2 +-
net/ipv4/syncookies.c | 219 +++++++++++-------
net/ipv4/tcp_input.c | 53 ++++-
net/ipv6/syncookies.c | 94 +++++---
tools/include/uapi/linux/bpf.h | 52 ++++-
.../selftests/bpf/prog_tests/tcp_syncookie.c | 84 +++++++
.../selftests/bpf/progs/test_siphash.h | 65 ++++++
.../selftests/bpf/progs/test_tcp_syncookie.c | 170 ++++++++++++++
.../selftests/bpf/test_tcp_hdr_options.h | 8 +-
12 files changed, 715 insertions(+), 134 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/tcp_syncookie.c
create mode 100644 tools/testing/selftests/bpf/progs/test_siphash.h
create mode 100644 tools/testing/selftests/bpf/progs/test_tcp_syncookie.c
--
2.30.2
