Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tls errors under ping flood #2117

Open
const-t opened this issue May 9, 2024 · 0 comments
Open

Tls errors under ping flood #2117

const-t opened this issue May 9, 2024 · 0 comments
Labels
bug h2
Milestone
0.9 - LA

Comments

@const-t
Copy link
Contributor

const-t commented May 9, 2024
edited

Scope

Faced weird behavior. I wrote little script for ping flooding, when I running it to test Tempesta, I'm getting a lot of warnings in dmesg about invalid tls processing. However when I added delays between ping frames, all warnings are gone. I tested this script on other implementations. Nginx just blocks me, because it has flood protection. Golang server processes all frames without errors.

commit: 10b38e0

Looks like we don't disconnect client on error in tls protocol.

stats:

Server successful TLS handshakes	: 10
Server failed TLS handshakes		: 33825

log:

[10137.585955] [tempesta tls] Warning: bad TLS version 3:23
[10137.587562] [tempesta tls] Warning: [::ffff:192.168.122.1] Bad TLS record (err -0xFFFFF004)
[10153.840855] net_ratelimit: 14992 callbacks suppressed
[10153.840859] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.843922] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.940461] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.940473] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.945246] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.947550] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.949924] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.952290] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.954743] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10153.957227] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.844526] net_ratelimit: 14689 callbacks suppressed
[10158.844529] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.849920] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.854048] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.858007] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.862118] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.866302] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.870329] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.874353] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.881571] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)
[10158.886116] [tempesta tls] Warning: [::ffff:192.168.122.1] TLS cannot decrypt msg on state Handshake Over, ret=-74(bad ciphertext)

config:

listen 443 proto=h2;

cache_purge_acl 127.0.0.1;
frang_limits {
   http_strict_host_checking false;
   http_header_cnt 500;
   http_body_len 10485760; #10MB
}

srv_group default {
    server 192.168.122.128:8080 conns_n=1024;
}

tls_certificate /etc/tempesta/tfw-root.crt;
tls_certificate_key /etc/tempesta/tfw-root.key;
tls_match_any_server_name;

vhost debian {
    resp_hdr_set Strict-Transport-Security "max-age=31536000; includeSubDomains";
    proxy_pass default;
}

cache 2;
cache_fulfill * *;
block_action attack reply;
block_action error reply;

http_chain {
  -> debian;
}

Utility:
main.zip
Run: ./flood -address 192.168.122.127:443 -threads 4 -connections 900 -debug 1
@const-t const-t added the bug label May 9, 2024
@krizhanovsky krizhanovsky added the h2 label May 9, 2024
@krizhanovsky krizhanovsky added this to the 0.9 - LA milestone May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug h2
Projects
None yet
Milestone
0.9 - LA
Development

No branches or pull requests
2 participants
@krizhanovsky @const-t