Public bug reported: Description: Ubuntu 20.04.3 LTS Release: 20.04 unbound/focal,focal-updates,focal-security,now 1.9.4-2ubuntu1.2 amd64 [installed]
Hello, We have an issue with unbound package. In some case of usage we have a certain number of idle tcp-sessions wich blocks any new tcp sessions to this server. 1. One of our users initiate a wild number of tcp sessions and stops 30 min later. 2. Thoses sessions max out the `thread0.tcpusage` accordingly to our setting `incoming-num-tcp:` 3. No more TCP cnx are possible. UDP still responding 4. We log the established tcp sessions with an `lsof -i :53` 5. *12 hours later* the *same* TCP sessions are still ESTABLISHED (same client ports same host) 6. A tcpdump on this interface show no tcp packet at all for more than 15min ... but `net.ipv4.tcp_keepalive_time = 7200` or tcp-idle-timeout (actually 30 sec) should have kicked. 7. Still no more TCP cnx are possible A restart of this service resolves the bug. This bug is hard to reproduce and we didn't find the client/usage which works all times nor we have more information on our client real infra/clients/libraries. But in the right conditions, it can append a lot. But we think we are not the only one experiencing this find of bug : This is the same as 2 bugs reported on the unbound mailing list : * https://lists.nlnetlabs.nl/pipermail/unbound-users/2019-August/006361.html * https://lists.nlnetlabs.nl/pipermail/unbound-users/2019-October/006487.html And this seems to be fixed by this MR on the next version of unbound : On Unbound 1.9.6 Changelog ( https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-9-6 ) : ``` Merge pull request #122 from he32: In tcp_callback_writer(), don't disable time-out when changing to read. ``` Refering to : https://github.com/NLnetLabs/unbound/pull/122 This MR/Fix is quite simple, so I'm asking if we can cherry pick this fix on this version of unbound to avoid a potential DoS on this service and fix that issue Thanks in advance :) ** Affects: unbound (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1947552 Title: Idle tcp connections To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1947552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs