[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2018-05-24 Thread Simon Iremonger
FWIW   Although syncookies has long-since been enabled upstream, the
outdated comments in sysctl about syncookies still persist, I have now
created new   ubuntu bug  #1773157  [please comment there].

[This also requests ECN-on-outgoing enablement which has similarly
matured etc.].

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091

Title:
  proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
  permit SYN flood defense...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2017-12-11 Thread Nils Toedtmann
I filed a request for ufw not to override
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1737585

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091

Title:
  proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
  permit SYN flood defense...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2016-10-07 Thread Matthew Caron
Will do, Simon.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091

Title:
  proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
  permit SYN flood defense...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2016-10-07 Thread Simon Iremonger
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

> Bog standard 16.04 has it turned on (from the above referenced 10
> -network-security.conf).
> But, if you then enabled ufw, it gets disabled, due to the default
> setting in /etc/ufw/sysctl.conf.

> There seems to be serious debate as to whether or not enabling it is
> correct.

I haven't seen why not to enable use of adaptive syncookies, aiui
this creates no _disadvantage_ if not being triggered...

I CAN understand that for some scenarios the 'right thing to do'
is Increase the tcp_max_syn_backlog as cookies are triggering too
easily, even then it won't stop connections being accepted albeit
with less tcp options possible, but then without syncookies
the connections would be dropped as the syn queue fills...

> What I know is that I just spent two hours trying to figure out why SANE 
> took forever to detect my network scanner, and this syslog entry clued 
> me in:
> Oct  6 22:54:26 hiro kernel: [48562.817258] TCP: request_sock_TCP:
> Possible SYN flooding on port 34029. Dropping request.  Check SNMP
> The dropped request was responsible for the delay. If I enable syn
> cookies, I get:
> Oct  6 22:57:28 hiro kernel: [48744.796029] TCP: request_sock_TCP:
> Possible SYN flooding on port 42041. Sending cookies.  Check SNMP
> capture it, there's ONE SYN request and the kernel thinks it's a
> "flood".. which makes no sense.

Weird :).
I can't say I'm familiar with uwf, but I wonder if it is somehow
oversensitive in its' own ip(6)tables or they are fiddling with:-

/proc/sys/net/ipv4/tcp_max_syn_backlog


Do raise bug in the ufw // ufw sysctl.conf   Also email me 
separately the relevant bug numbers etc., be curious to see!!

- --Simon
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Topal (http://freshmeat.net/projects/topal)

iF4EAREIAAYFAlf3SqEACgkQA62i3HuJ2aHNCwEAnK4NvLNm/tKHzFNSEK+KRNMB
6hZOZ6tcnbecljP1+dAA/3C0bmEHFXEzeLF3xYNSco+py2TbD2bNPzXbG0NKsupb
=Fh0+
-END PGP SIGNATURE-

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091

Title:
  proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
  permit SYN flood defense...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2016-10-06 Thread Matthew Caron
Well, and it gets more interesting.

Bog standard 16.04 has it turned on (from the above referenced 10
-network-security.conf).

But, if you then enabled ufw, it gets disabled, due to the default
setting in /etc/ufw/sysctl.conf.

There seems to be serious debate as to whether or not enabling it is
correct.

What I know is that I just spent two hours trying to figure out why SANE
took forever to detect my network scanner, and this syslog entry clued
me in:

Oct  6 22:54:26 hiro kernel: [48562.817258] TCP: request_sock_TCP:
Possible SYN flooding on port 34029. Dropping request.  Check SNMP
counters.

The dropped request was responsible for the delay. If I enable syn
cookies, I get:

Oct  6 22:57:28 hiro kernel: [48744.796029] TCP: request_sock_TCP:
Possible SYN flooding on port 42041. Sending cookies.  Check SNMP
counters.

and it's basically instant.

On top of all of this, there isn't a lot of traffic - this is SANE
talking to a vendor-provided scanner backend over localhost. If I
capture it, there's ONE SYN request and the kernel thinks it's a
"flood".. which makes no sense.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091

Title:
  proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
  permit SYN flood defense...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2016-05-18 Thread antisa
Here is the entry from ...10-network-security.conf from 16.04 (although
from Desktop edition)

"
# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions.  When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1


"

Guess it hasn't been removed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091

Title:
  proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
  permit SYN flood defense...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2016-02-15 Thread Simon Iremonger
Upstream kernel have decided to enable syncookies by default (according to that 
debian bug, since Linux 2.6.37!).
This makes sense, as the main downsides have already been resolved (especially 
window scaling even under syncookies-activation), and this feature only 
kicks-in if the SYN-queue is overloaded.

We might now consider taking out this (now superfluous) tcp_syncookies
entry from /etc/sysctl.d/10-network-security.conf ...


I think, a similar situation has now arisen with respect to the
"tcp_ecn" setting, where the (conservative) (enabled by default)
fallback mechanism in the kernel, along with the rarity of ecn-
intolerance, along with the wide ECN-adoption in practice in Apple ios /
MAC OS X now, along with the importance of ECN for smooth responsive
internet in the face of congestion, means that this tcp_ecn setting
should similarly be seriously considered.   This should be the subject
of new bug report right-soon-now =).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091

Title:
  proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
  permit SYN flood defense...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-10-09 Thread Simon Iremonger
On Fri, 9 Oct 2009, Olaf van der Spek wrote:
> Has this request been forwarded upstream (lkml)?

Not that I am aware of.

It would be good for this confusion/misinformation to get sorted
   out properly.
Why is it that some wish to make sweeping statements and not
   understand the whole situation?

What do you do in this circumstance?

--Simon

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-10-09 Thread Olaf van der Spek
Has this request been forwarded upstream (lkml)?

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-09-25 Thread Simon Iremonger
>> Ah, nice. I kinda expected a link to the package version in which it
got fixed.

The silly thing is
There is misinformation in the /etc/sysctl.conf now!

It says:-
"# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)"
First of all that is incorrect as a blanket statement.
A connection 'saved by syncookies' used to not allow window scaling.
But, it always worked fine solong as there was not a synflood going on!

Secondly, its' completely wrong now, because newer kernel
   SynCookies, will ALWAYS allow window scaling, regardless
   of syncookies having 'kicked in' or not!

That could do with just being removed.

--Simon

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-09-25 Thread Olaf van der Spek
On Fri, Sep 25, 2009 at 4:56 PM, Kees Cook  wrote:
> Olaf: that's why it is "fix released".  :)  It is enabled in Ubuntu now.

Ah, nice. I kinda expected a link to the package version in which it got
fixed.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-09-25 Thread Olaf van der Spek
Ah, nevermind, I can't read, it's at the bottom of that message.

On Fri, Sep 25, 2009 at 5:18 PM, Olaf van der Spek  wrote:
> On Fri, Sep 25, 2009 at 4:56 PM, Kees Cook  wrote:
>> Olaf: that's why it is "fix released".  :)  It is enabled in Ubuntu now.
>
> Ah, nice. I kinda expected a link to the package version in which it got 
> fixed.
>

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-09-25 Thread Kees Cook
Olaf: that's why it is "fix released".  :)  It is enabled in Ubuntu now.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-09-25 Thread Olaf van der Spek
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520668

** Bug watch added: Debian Bug tracker #520668
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520668

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-09-25 Thread Olaf van der Spek
Are there any updates on this issue?
I don't see any counter arguments to the fact syn cookies only take effect 
after the queue is full.
Ideally this would be changed upstream, maybe an Ubuntu kernel dev could 
contact upstream about this?

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-05-19 Thread pablomme
> Yes please.

Ok.

> I would initially assume that some other issue has caused the
> kernel to stop handling network traffic rather than high network traffic
> stopping the kernel.

The kernel did not stop, nor did the networking or anything else other
than X.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-05-19 Thread Kees Cook
On Tue, May 19, 2009 at 04:11:18PM -, pablomme wrote:
> Should I open a new bug report with this?

Yes please.  I would initially assume that some other issue has caused the
kernel to stop handling network traffic rather than high network traffic
stopping the kernel.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-05-19 Thread pablomme
I think this may have introduced a regression. While using aMule on my
amd64 Jaunty desktop, there is a point at which the screen freezes and X
stops responding to input (the mouse pointer moves, but it does not
interact with anything). Ctrl-Shift-F1-6 won't drop me to a TTY. I
believe the hang affects X exclusively, since the system continues
logging and SysRq keys work fine.

All four times that this has happened I get this line repeatedly in
/var/log/messages:

May 18 22:34:27 tinymme kernel: [ 9389.660132] possible SYN flooding on
port 34443. Sending cookies.

at a rate of one per minute. These messages start at the same time as X
hangs. Port 34443 is the TCP port I configured for use by aMule.

Two issues here:
 - SYN flood protection may be being mis-triggered by legitimate network load
 - the protection itself seems to be causing a problem with X (directly or 
indirectly)

I wouldn't think this is an interaction between the kernel and X if it
weren't for the fact that I've had multiple instances of the problem
with the same log entries, but I may as well be missing something (even
though other log files are clean). Should I open a new bug report with
this?

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2009-02-09 Thread Kees Cook
procps (1:3.2.7-11ubuntu1) jaunty; urgency=low

  * Merge from debian unstable, remaining changes:
- debian/{postinst,rules}: init script to priority 17, remove on upgrade.
- debian/rules (Ubuntu-specific):
  - install sysctl files from new sysctl.d directory.
  - append debian/sysctl.d/*.conf.$DEB_HOST_ARCH to 10-arch-specific.conf
- debian/sysctl.d (Ubuntu-specific):
  - 10-console-messages.conf: stop low-level kernel messages on console.
  - 10-network-security.conf: enable "rp_filter" by default.
  - 10-process-security.conf: block lower 64k allocations to protect
kernel from NULL deref attacks.
  - 10-keyboard.conf.powerpc: mouse button emulation on PowerPC.
  * procps-3.2.7/debian/{preinst,postinst,postrm}: drop
sysctl.d/10-tcp-timestamps-workaround.conf again now that we have a
fixed kernel, and make sure it gets removed on upgrade to this version
(LP: #264019, duplicated from 1:3.2.7-9ubuntu2.1).
  * debian/sysctl.d/10-network-security.conf: enable SYN-flood protection
by default (LP: #57091).


** Changed in: procps (Ubuntu)
Sourcepackagename: None => procps
   Importance: Undecided => Medium
 Assignee: (unassigned) => Kees Cook (kees)
   Status: Incomplete => Fix Released

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2008-10-23 Thread Simon Iremonger
On Thu, 23 Oct 2008, KimOlsen wrote:
>> "...option causes the system to violate the TCP standard..."
> I do not think this is the case. If you check RFC4732 they list this as
> a possible way to help against DoS attacks.

> I also believe that window scaling is not affected, but large windows
> are. But accepting legit traffic without large windows is better than
> dropping the connections.
Note, that, seemingly, as of Linux 2.6.26, tcp connections with
   "large windows" can now be accepted under syn-flood too!  So,
   even that, no longer matters, seemingly...

> So if the implementation is an adaptive one that only use SYN
> cookies when under huge load, then I am all for this.
Yes, it is.
Linux produces messages on the kernel log, to say "sending cookies"
   when this happens.  I.e. SYN-cookies do NOT come into play unless
   there is a high load of incoming connections.

I can understand that some systems receiving a legitimately high
   number of connections, it may be necessary to increase the
   net.ipv4.tcp_max_syn_backlog (or whatever it is, exactly) to
   avoid the use of cookies... but that *still* does not create
   any reason not to have set tcp_syncookies=1 !!

> At least in the server edition.
I don't see why the install CD type matters, myself...
Any install can result in some use of TCP listening sockets
   somewhere!  Also... that then means extra work to setup
   different sysctl settings based upon install-disk...

But thats' only my thoughts...

It would be good to get this sorted-out properly...  But I don't
   know what other information is needed.  I guess the problem is
   not information.. in this world of information-overload ;-).

If Ubuntu networking team, don't want to change the setting, they
   don't want to change the setting... puzzling...


--Simon

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2008-10-23 Thread KimOlsen
>"...option causes the system to violate the TCP standard..."

I do not think this is the case. If you check RFC4732 they list this as
a possible way to help against DoS attacks.

I also believe that window scaling is not affected, but large windows
are. But accepting legit traffic without large windows is better than
dropping the connections.

So if the implementation is an adaptive one that only use SYN cookies
when under huge load, then I am all for this. At least in the server
edition.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2008-09-26 Thread enyc
** Changed in: ubuntu
   Status: Invalid => Incomplete

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2008-09-14 Thread Simon Iremonger
On Fri, 12 Sep 2008, Kees Cook wrote:
> Enabling syncookies disables TCP window scaling[1],

I think this is incorrect as-stated  But this should be
  confirmed/proved/disproved.

As far as I have found out elsewhere, the syn-cookies support
  in Linux is adaptive, and does NOT come into play unless
  there is an overflow of SYN_RECVD ...

I.e. tcp window scaling DOES work with syncookies=1 -- just
  not when there is a real syn-flood-problem ... but...
  if syncookies was not enabled, such a connection would
  likely not succeed at all!  -- what is better? ;-).
  (but --see below -- situation is now different with latest
  kernel!)


> and in most situations,
> existing SYN-flood protections in the kernel
> already address most sorts of those attacks.

What are these 'existing SYN-flood protections'
  and how do they work?

Inceasing the backlog is simply increasing a finite limit --
  randomly dropping SYN_RECVD entries also makes syn-flooding
  slightly less effective relateve to forged-syn-traffic -- but
  -- it still should not actually take much traffic to overload
  the finite limits on SYN_RECVD thereby making new legitimate
  connections unlikely to succeed.

The crptographic cookie approach avoids the need for the syn
  packet backlog... and stops the repetition of syn+ack
  packehs in those cases.


> In some situations (perhaps like what alecm3 was experiencing)
> there are situations it might be needed,
I suspect that... with a busy server with many clients connecting
  a lot and connecting from slow links, it may be necessary to
  raise net.ipv4.tcp_max_syn_backlog because of legitimate
  rate/number of such not-yet-completed incoming-connections.


Its' worth reading this article:-
http://lwn.net/Articles/277146/

Seemingly 2.6.26 now supports syncookies on ipv6 too, and
  now supports connections with window-scaling even
  if connection was saved by syncookies.

Rather than having arguments over the value of the setting
  etc... --   How do we get this properly investigated
  and sorted out?

--Simon

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2008-09-12 Thread Kees Cook
Enabling syncookies disables TCP window scaling[1], and in most situations, 
existing SYN-flood protections in the kernel 
already address most sorts of those attacks.  In some situations (perhaps like 
what alecm3 was experiencing) there are situations it might be needed, but for 
a default, I am against[2][3] it if for no other reason than keeping window 
scaling working.

[1] http://lkml.org/lkml/2008/2/5/167
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495884
[3] 
http://launchpadlibrarian.net/16972932/procps_1%3A3.2.7-8ubuntu2_1%3A3.2.7-9ubuntu1.diff.gz

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2008-09-12 Thread alecm3
We installed 2 production servers and suddenly we started getting
strange connection problems, with no errors in the application or system
logs. The problems were highly intermittent, but amounted to being
unable to connect to a port our TCP server was receiving client internet
connections on.

After 3 days of debugging (netfilter, the server application, writing
custom bash/awk programs to poll and graph netstat, doing tcpdumps) the
problem what traced to random SYN attacks.

It turns out that net.ipv4.tcp_syncookies=1 is commented out in the
*server* edition of Ubuntu 8.04!

After all this wasted time (and upset users), my only reaction is
"WTF...?" We have many SuSE production servers, starting from 9.0 and
they all came with syn cookies enabled. Messages like

possible SYN flooding on port 80. Sending cookies.

are *very* common in /var/log/messages, anybody who has run a heavily
loaded server with many connections has seen tons of them.

A developer above seems to answer that "use of this option causes the
system to violate the TCP standard". I guess SuSE developers understood
better that a server-intended Linux distribution is not a computer
science exercise, but an operating system that is *actually used* for
production servers.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2006-09-08 Thread Matt Zimmerman
SYN cookies are disabled by default in Ubuntu for the same reason they
are disabled by default in the kernel.  According to the kernel
documentation, use of this option causes the system to violate the TCP
standard, and so is only intended to be used to mitigate an attack in
progress.

** Changed in: procps (Ubuntu)
Sourcepackagename: procps => None
   Status: Unconfirmed => Rejected

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://launchpad.net/bugs/57091

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2006-09-03 Thread enyc
Jeremy,
I can confirm that SYNcookies are NOT part of the firewall mechanism of the 
kernel.

CONFIG_NETFILTER option in linux 2.6 is the toggle for linux packet
filtering support called 'netfilter'(iptables)... There are many sub-
choices/options for netfilter.

CONFIG_SYN_COOKIES however is a different choice, that allows you to
enable/disable compiling support for SYNcookies SYN-flood-defense
support.

Please also note that you generally cannot properly 'firewall out' a
typical spoofed-source SYN flood without preventing legitimate access to
your server.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://launchpad.net/bugs/57091

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2006-08-31 Thread Jeremy Vies
Sorry, I didn't know that ftp was not a server program...

My point of view is that it should not be activated by default, but
should be easily configurable with a GUI, probably the same GUI that
should configure the FW.

I add the ubuntu network team and the ubuntu security team to the bug.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://launchpad.net/bugs/57091

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2006-08-21 Thread Jeremy Vies
For me syncookies is the same problem as FW is.
As you said, as long as you don't start a network service, your computer is 
safe. If you start a SSH server or whatever, you have to protect your system 
from DoS or other attacks...

(By the way, if your server is reachable from the internet, as soon as
you open a network service, you will need some iptables rules to filter
some attacks, as ssh scans for example.)

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://launchpad.net/bugs/57091

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2006-08-21 Thread enyc
On Mon, 21 Aug 2006, Jeremy Vies wrote:
> I think "tcp_syncookies" is considered as part of the FW mechanism of the 
> kernel.
> As Dapper (and previous releases) does not provide any FW out of the box, it 
> is normal that tcp_syncookies are not activated by default.
> Your bug repport should be put as a wish for next release, and maybe linked 
> to bug about the "missing FW" in Ubuntu.
Urrm... Well a firewall addon is another matter...
That is for blocking ports and particular hosts and soforth.

Ubuntu (sensibly) starts with no 'open ports' (except on 127.0.0.1)
  unless you add a service or install a LAMP server...

It doesnt need a firewall for a lot of cases -- firewall just adds
  needless extra complexity Just dont start services you dont
  want. Only need to add a firewall if you want to control access
  of particular IP addresses and soforth...

But w/o syncookies your VNC or SSH or Samba-shares or whatever can
  be trivially DoSed from low-bandwidth-connection which is rather
  silly really. I understand they dont actually change anything
  about TCP behaviour until there are too many SYN_RECVD entries,
  at which point the syncookies 'kick in' permitting access to
  your TCP servers which under continuing SYN flood

--enyc <[EMAIL PROTECTED]>

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://launchpad.net/bugs/57091

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

2006-08-21 Thread Jeremy Vies
Hi enyc,

I think "tcp_syncookies" is considered as part of the FW mechanism of the 
kernel.
As Dapper (and previous releases) does not provide any FW out of the box, it is 
normal that tcp_syncookies are not activated by default.
Your bug repport should be put as a wish for next release, and maybe linked to 
bug about the "missing FW" in Ubuntu.

-- 
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN 
flood defense...
https://launchpad.net/bugs/57091

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs