From: Marco Padovan <evcz@evcz.tk>
To: Steve Kann <stevek@stevek.com>
Cc: netfilter@vger.kernel.org
Subject: Re: SYN Cookies vs ip_conntrack in SYN Flood conditions
Date: Wed, 06 Mar 2013 00:22:04 +0100 [thread overview]
Message-ID: <51367E1C.30003@evcz.tk> (raw)
In-Reply-To: <27426969-529E-4D02-A526-39BB80C685D1@stevek.com>
Having same kind of issues here... :D
btw syn cookies are not much useful (at least in my case) with decent
pps rates (>10k) :(
Il 28/02/2013 18.28, Steve Kann ha scritto:
> Netfilter-wizards,
>
> I've been playing around with using iptables and syncookies to try to harden a linux box against SYN Flood attacks, and I seem to have run into something which doesn't work the way I'd want it to.
>
> Ideally, I'd like to create a situation where there protected host could withstand very high volume SYN attacks (in the order of hundreds of thousands of forged SYN packets per second), as well as fairly significant legitimate traffic volumes (hundreds of megabits).
>
> From what I've observed, if you have a host which uses ip_conntrack to track connections, and that host is under SYN flood conditions and has begun to send SYN cookies, connection table entries are created for these embryonic connections.
>
> This seems counter to the design intent of syn cookies, in that ideally, we would like to keep no state at all for TCP connections until the TCP handshake is completed.
>
> It seems there's a couple of options:
> a) Abandon ip_conntrack (and all stateful iptables rules): This seems to work, but it limits the scope of available rules. I've also read some concerns about performance implications here.
>
> b) (this is why I'm coming here): Is there any way to defer ip_conntrack table population until the TCP initiator sends back their valid ACK packet with the SYN Cookie response? This would seem to be the ideal solution, as it would retain the stateless intent of syncookies, but allow state tracking for more advanced iptables rules.
>
> This seems like something others would have run into before, so I hope I've come to the right place for advice.
>
> Thanks!
>
> -SteveK
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2013-03-05 23:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-28 17:28 SYN Cookies vs ip_conntrack in SYN Flood conditions Steve Kann
2013-03-05 23:22 ` Marco Padovan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51367E1C.30003@evcz.tk \
--to=evcz@evcz.tk \
--cc=netfilter@vger.kernel.org \
--cc=stevek@stevek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox