On 24/02/2021 20:05, Marc SCHAEFER wrote:
On Wed, Feb 24, 2021 at 07:27:09PM +0000, tincanteksup wrote:
which suggested to me that openvpn may have some vulnerability to TCP DDos.
A Linux kernel can offer a few protections against DDoS, for example
SYN cookies to avoid a memory exhaustion with fake TCP connection
openings. You may have to enable it with sysctl (see /etc/sysctl.conf).
I'll take a good look, thanks.
The TLS handshake has not been done yet. The connection will probably
be cut quickly if it does not happen (?).
The server cut the connection in a timely manor, however, nc did not:
CLOSE-WAIT 0 0
127.0.0.1:42714 127.0.0.1:34571
Still not fully cleared over an hour later .. that is the kernel
because nc was terminated. I imagine that can be configured.
Finally closed about 1h10Mins~1h20 later.. 80 mins default ?
ESTAB 0 0 127.0.0.1:34571
127.0.0.1:42714
ESTAB 0 0 127.0.0.1:42714
127.0.0.1:34571
That's two nexus, because you run the client and server on the same
machine.
"two nexus" you got me there .. I'll have to google that expression.
I wonder if IPv6 has any new features which can customise the initial Syn
packet in any way ?
Not to my knowledge. Why would you want to do that?
Just a passing thought .. I think I just sort of re-invented syn-cookies
without realising it ;-)
I was thinking that IPv6 might have something like that actually defined
by RFC and built in to a syn packet. I mean, why not ?
In fact, this idea seems to TCP Fast Open
(https://tools.ietf.org/html/rfc7413)
You could use port knocking if you want to hide your service from
attackers.
Nice, obviously openvpn does not need this but, yeah.
Thanks
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
