On Wed, Feb 24, 2021 at 07:27:09PM +0000, tincanteksup wrote: > which suggested to me that openvpn may have some vulnerability to TCP DDos.
A Linux kernel can offer a few protections against DDoS, for example SYN cookies to avoid a memory exhaustion with fake TCP connection openings. You may have to enable it with sysctl (see /etc/sysctl.conf). > Obviously, the connection ultimately fails but I was simply expecting the > server to drop the subsequent packets without logging anything. Especially > as both server and client believe that TCP has established a connection, > even to the extent of: I guess that the OpenVPN TCP server logs this as soon as the kernel tells that a new connection is opened (accept(2) returns), aka SYN/SYNACK/ACK, and the client as soon as the ACK is sent. The TLS handshake has not been done yet. The connection will probably be cut quickly if it does not happen (?). > ESTAB 0 0 127.0.0.1:34571 > 127.0.0.1:42714 > ESTAB 0 0 127.0.0.1:42714 > 127.0.0.1:34571 That's two nexus, because you run the client and server on the same machine. > I wonder if IPv6 has any new features which can customise the initial Syn > packet in any way ? Not to my knowledge. Why would you want to do that? You could use port knocking if you want to hide your service from attackers. > I doubt it but something for me to look into ;-) If you want to avoid DDoS, look for SYN cookies, and also you may want to use a firewall to limit what IP addresses can connect (if this is possible), or possibly run an IDS/IRS/IPS to detect malicious attempts. _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
