Re: [patch] tcp connection tracking 2.4.19

[Roberto Nibali <ratz@drugphish.ch>]

Hi,

> "When syncookies are enabled the packets are still answered  and  this
> value [tcp_max_syn_backlog] is effectively ignored." -- From tcp(7)
> manpage.

Fair enough. I thought that last time I checked with the code the SYN 
cookie functionality would only kick in _after_ the backlog queue is full.

> The whole point of syncookies is to negate the need for a backlog queue.

Well, after a successful match of the MSS encoded part or the cookie, 
you add it back to the SYN queue. But yes, the backlog queue is indeed 
omited.

> Or did I miss your point?

Well, my point should have been stated more clearly. It is simply that 
SYN cookies do not prevent you from being SYN flooded. They provide you, 
from a user perspective view, a mean to still be able to log in onto 
your server under a SYN flood because you will send legitimate ACKs and 
because your connection will not be dropped.

It doesn't prevent SYN flooding, although I just checked back with 
../Documentation/networking/ip-sysctrl.txt:

tcp_syncookies - BOOLEAN
         Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
         Send out syncookies when the syn backlog queue of a socket
         overflows. This is to prevent against the common 'syn flood attack'
         Default: FALSE

         Note, that syncookies is fallback facility.
         It MUST NOT be used to help highly loaded servers to stand
         against legal connection rate. If you see synflood warnings
         in your logs, but investigation shows that they occur
         because of overload with legal connections, you should tune
         another parameters until this warning disappear.
         See: tcp_max_syn_backlog, tcp_synack_retries, 
tcp_abort_on_overflow.

         syncookies seriously violate TCP protocol, do not allow
         to use TCP extensions, can result in serious degradation
         of some services (f.e. SMTP relaying), visible not by you,
         but your clients and relays, contacting you. While you see
         synflood warnings in logs not being really flooded, your server
         is seriously misconfigured.

The best thing is to go back and check with the actual implementation. 
I'm just checking on ../net/ipv4/tcp_ipv4.c:tcp_v4_conn_request():

[...]
         if (tcp_synq_is_full(sk) && !isn) {
#ifdef CONFIG_SYN_COOKIES
                 if (sysctl_tcp_syncookies) {
                         want_cookie = 1;
                 } else
#endif
                 goto drop;
         }

         /* Accept backlog is full. If we have already queued enough
          * of warm entries in syn queue, drop request. It is better than
          * clogging syn queue with openreqs with exponentially increasing
          * timeout.
          */
         if (tcp_acceptq_is_full(sk) && tcp_synq_young(sk) > 1)
                 goto drop;
[...]

Best regards and sorry for the confusion,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc