Re: [patch] tcp connection tracking 2.4.19

[Gianni Tedesco <gianni@ecsc.co.uk>]

[-- Attachment #1: Type: text/plain, Size: 2381 bytes --]

On Wed, 2002-10-09 at 18:25, Roberto Nibali wrote:
> Hi,
> 
> > "When syncookies are enabled the packets are still answered  and  this
> > value [tcp_max_syn_backlog] is effectively ignored." -- From tcp(7)
> > manpage.
> 
> Fair enough. I thought that last time I checked with the code the SYN 
> cookie functionality would only kick in _after_ the backlog queue is full.

It does. When using syn cookies you cant use some of the new advanced
features of tcp. Linux uses the backlog queue when not under attack.
When the queue overflows it just uses cookies - but can still accept
connections.

> > The whole point of syncookies is to negate the need for a backlog queue.
> 
> Well, after a successful match of the MSS encoded part or the cookie, 
> you add it back to the SYN queue. But yes, the backlog queue is indeed 
> omited.
> 
> > Or did I miss your point?
> 
> Well, my point should have been stated more clearly. It is simply that 
> SYN cookies do not prevent you from being SYN flooded. They provide you, 
> from a user perspective view, a mean to still be able to log in onto 
> your server under a SYN flood because you will send legitimate ACKs and 
> because your connection will not be dropped.
> 
> It doesn't prevent SYN flooding, although I just checked back with 
> ../Documentation/networking/ip-sysctrl.txt:
> [snip]
> tcp_abort_on_overflow.
>          syncookies seriously violate TCP protocol, do not allow
>          to use TCP extensions, can result in serious degradation
>          of some services (f.e. SMTP relaying), visible not by you,
>          but your clients and relays, contacting you. While you see
>          synflood warnings in logs not being really flooded, your server
>          is seriously misconfigured.

I don't think these statements are entirely true. While it is true that
you can't use things like window scaling or SACK - syncookies 100%
successfully stop syn flood attacks.

The attack is that if you fill the syn backlog queue with bogus requests
then legitimate clients can no longer connect. The syn flood attack
isn't "your legitimate connections wont be able to use window scaling".

-- 
// Gianni Tedesco (gianni at ecsc dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 232 bytes --]