The present invention relates generally to methods for preventing attacks on a server which operate by flooding the server route-cache with a vast number of entries.
When sending packets of data over an Internet Protocol (IP) network, the routes to be taken by different packets are often added to a database called Forwarding Information Base (FIB). A FIB is also referred to as a routing table. The routing table specifies how to properly forward packets so that they reach their correct destinations. Some operating systems, including Linux, support multiple FIBs. Some FIBs can be associated with different network interfaces. A FIB-rules-database contains rules that specify which FIB should be used when processing a given IP packet. When processing an incoming, outgoing, or forwarded packet, an operating system not only has to track which FIB should be used, but also determine what route should be used, what sequence of functions should process the packets, to which neighbor the packet should be sent, and more. The operating system also performs several validations on the source and destination IP addresses of the packets to thwart denial of service attacks. To improve packet handling performance, it is common to maintain several caches that track recently seen flows of packets and how they are processed. This helps apportion the high costs of per-packet validations and internal packet handling paths across a potentially large number of packets that belong to a flow. For caching purposes, a flow can be packets with the same IP source address, IP destination address, incoming/outgoing interface, and the Type-of-Service (ToS) marking.
The Linux IP stack uses three different caches: a route-cache, a neighbor-cache, and a hardware-header-cache. They are all specializations of a generic destination-cache. The destination-cache holds information about destination addresses and functions in a form that is protocol independent. The neighbor-cache holds the mapping between the IP address and the MAC address of all neighbors of a given node. A neighbor (also known as an “on-link” node) to a given node is one that can be locally reached from the given node, e.g., over Ethernet links. A node that may not be locally reached from a given node can be known as an “off-link” node with respect to the given node. The neighbor cache is also referred to as the Address Resolution Protocol (ARP) table for IPv4 protocol. The hardware-header-cache holds the MAC layer header and the functions used to manipulate those headers. The route-cache holds information about the characteristics of the IP packets, the functions used to handle them, and information about the neighbor that should receive the matching packets.
A route-cache is commonly implemented as a hash table that is initialized at the machine boot time. The number of hash buckets is computed automatically at boot time based on the amount of memory in the system. The maximum number of entries that the route cache can store is controllable by operating system parameters.
There is usually one route cache entry created for each unique combination of IPv4 source and destination addresses across all the packets handled by the IPv4 stack. This can be used as an attack vector. An attacker can send packets to the victim using random source addresses. The attacker does not even have to receive any response. As the victim handles the packets, it keeps populating the route cache with entries it hopes to reuse, but since the source addresses used in the attack are unique, it never does reuse them. Within a few hundred thousand packets, the route cache in the victim can fill up, and performance can drop significantly.
Embodiments of the present invention can remove this attack vector by making changes to the way the route cache is used.