20: Networking (2) TCP Socket Buffers. Mark Handley. TCP Acks. TCP Data. Application. Application. Kernel. Kernel. Socket buffer.

Transcription

1 20: Networking (2) Mark Handley TCP Socket Buffers Application Application Kernel write Kernel read Socket buffer Socket buffer DMA DMA NIC TCP Acks NIC TCP Data 1

2 TCP Socket Buffers Send-side Socket Buffer Temporary storage between system call and DMA to NIC. Data kept here until it has been acknowledged by receiver. Data is retransmitted from here if acks indicate it didn t arrive. Receive-side Socket Buffer Temporary storage between DMA and read() syscall returning at receiving application. Data kept here until it can be delivered in-order to the application. May need to store a window worth of data while waiting for a retransmission. TCP sends the current window size to sender, so it doesn t send more than the receiver can buffer. Protocol Design Network Protocols and Operating Systems coevolved. Protocol design reflects what was possible on an OS at the time the protocol was designed. Example: TCP s rate control mechanism. 2

3 TCP s Windows TCP maintains two windows: Receive window. Used to avoid sending data that there is no space for at the receiver. Information about the receive window carried in TCP acks. Congestion window. How fast to send? Could implement a rate-control mechanism Maintain current transmit rate. Adapt this based on feedback from acks. Problem: How can you implement sending at a particular rate? 100Mb/s with 1500 byte packets => 8333 packets per second (one packet every 120µs) What timers does the OS have to implement this? 3

4 How fast to send? Wrong question. Control the amount of data unacknowledged. Congestion Window. Use incoming acknowledgements to cause us to transmit new data. Known as ack clocking We re already in the kernel anyway, handling the receive interrupt for the ack. Only need a coarse-grain timer to cause retransmission when a packet has been lost and no acks arrive. Datagram Congestion Control Protocol New protocol to provide congestion control for realtime data that does not want TCP s reliability. Audio, video, etc. Two modes: TCP-like, ack clocked. TFRC: rate-controlled, to make average TCP rate. We re not so concerned these days about rate-based protocols: Use soft timers. Busy servers have more incoming acks, so better soft-timer granularity. Still need to be smart about timer datastructures, but can afford more CPU time for these than in the past. 4

5 DoS attacks. Attacker wants to deny service to a server. Floods the server with requests. How the OS maintains its network datastructures matters a lot to whether the server survives or not. DoS Attacks Flooding Attacks: SYN flood: attacker sends TCP connect requests faster than victim can process them. Victim responds then waits for confirmation. Victim s connection table fills up, new connections ignored Attack Resource Threshold Requests/bot Bots needed to exhaust SYN flood 18,000/sec 450 SYNs/sec 40 SYN flood, tuned server 200,000/sec 450 SYNs/sec 440 SYN flood, dedicated hardware 1,000,000/sec 450 SYNs/sec 2,200 5

6 DoS Attacks Application-Level Attacks: Use expected behaviour of protocols to cause victim to spend resources. Difficult to filter - looks like real transactions or requests. Load prevents victim from processing real requests. Attack Resource Threshold Requests/bot Bots needed to exhaust static http GET 60,000/sec 93 requests/sec at 250 bytes/request 645 dynamic http GET 3,000/sec 93 requests/sec at 250 bytes/request 40 SSL handshake 600/sec 10 requests/sec 60 DoS attacks SYN flood. Flood the server with SYN packets from spoofed source addresses. Run the kernel out of TCB memory. Avoid holding connection state for half-open connections (SYN cookies). Maintain a separate memory pool for half-open connections. Adaptively time out half-open connections based on incoming rate. 6

7 DoS Attacks Ack flood. Flood server with Acks for connections that don t exist. Server spends a lot of time trying to find the right TCB, wasting CPU time. Solution: Good datastructures: hash table. Beware if attacker can predict hash function. DoS attacks Connection flood. Attacker opens large numbers of connections, and leaves them open. Runs kernel out of memory for TCBs/socket buffers. Adaptive management of socket buffer memory. Inactive connections get their socket buffers reduced to a single packet. May violate protocol spec 7