Re: [patch] tcp connection tracking 2.4.19

From: Gianni Tedesco (gianni@ecsc.co.uk)
Date: Thu Oct 10 2002 - 05:38:30 EST

Next message: Miquel van Smoorenburg: "Re: [PATCH] O_STREAMING - flag for optimal streaming I/O"
Previous message: Marco Colombo: "Re: [PATCH] O_STREAMING - flag for optimal streaming I/O"
In reply to: Roberto Nibali: "Re: [patch] tcp connection tracking 2.4.19"
Next in thread: Roberto Nibali: "Re: [patch] tcp connection tracking 2.4.19"
Reply: Roberto Nibali: "Re: [patch] tcp connection tracking 2.4.19"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2002-10-09 at 18:25, Roberto Nibali wrote:
> Hi,
>
> > "When syncookies are enabled the packets are still answered and this
> > value [tcp_max_syn_backlog] is effectively ignored." -- From tcp(7)
> > manpage.
>
> Fair enough. I thought that last time I checked with the code the SYN
> cookie functionality would only kick in _after_ the backlog queue is full.

It does. When using syn cookies you cant use some of the new advanced
features of tcp. Linux uses the backlog queue when not under attack.
When the queue overflows it just uses cookies - but can still accept
connections.

> > The whole point of syncookies is to negate the need for a backlog queue.
>
> Well, after a successful match of the MSS encoded part or the cookie,
> you add it back to the SYN queue. But yes, the backlog queue is indeed
> omited.
>
> > Or did I miss your point?
>
> Well, my point should have been stated more clearly. It is simply that
> SYN cookies do not prevent you from being SYN flooded. They provide you,
> from a user perspective view, a mean to still be able to log in onto
> your server under a SYN flood because you will send legitimate ACKs and
> because your connection will not be dropped.
>
> It doesn't prevent SYN flooding, although I just checked back with
> ../Documentation/networking/ip-sysctrl.txt:
> [snip]
> tcp_abort_on_overflow.
> syncookies seriously violate TCP protocol, do not allow
> to use TCP extensions, can result in serious degradation
> of some services (f.e. SMTP relaying), visible not by you,
> but your clients and relays, contacting you. While you see
> synflood warnings in logs not being really flooded, your server
> is seriously misconfigured.

I don't think these statements are entirely true. While it is true that
you can't use things like window scaling or SACK - syncookies 100%
successfully stop syn flood attacks.

The attack is that if you fill the syn backlog queue with bogus requests
then legitimate clients can no longer connect. The syn flood attack
isn't "your legitimate connections wont be able to use window scaling".

-- // Gianni Tedesco (gianni at ecsc dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

application/pgp-signature attachment: This is a digitally signed message part

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Miquel van Smoorenburg: "Re: [PATCH] O_STREAMING - flag for optimal streaming I/O"
Previous message: Marco Colombo: "Re: [PATCH] O_STREAMING - flag for optimal streaming I/O"
In reply to: Roberto Nibali: "Re: [patch] tcp connection tracking 2.4.19"
Next in thread: Roberto Nibali: "Re: [patch] tcp connection tracking 2.4.19"
Reply: Roberto Nibali: "Re: [patch] tcp connection tracking 2.4.19"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue Oct 15 2002 - 22:00:36 EST