From nobody Tue Sep 27 19:24:50 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4McV224KWzz4cjpV for ; Tue, 27 Sep 2022 19:24:58 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [208.79.93.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4McV213w9nz46qS; Tue, 27 Sep 2022 19:24:57 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (localhost [127.0.0.1]) by orthanc.ca (OpenSMTPD) with ESMTP id ded123e4; Tue, 27 Sep 2022 12:24:50 -0700 (PDT) From: "Lyndon Nerenberg (VE7TFX/VE6BBM)" To: Kristof Provost cc: FreeBSD pf , Eirik =?utf-8?q?=C3=98verby?= Subject: Re: RFC: enabling pf syncookies by default In-reply-to: References: Comments: In-reply-to Kristof Provost message dated "Sat, 24 Sep 2022 15:32:50 +0200." List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-ID: <35170.1664306690.1@orthanc.ca> Content-Transfer-Encoding: 8bit Date: Tue, 27 Sep 2022 12:24:50 -0700 Message-ID: X-Rspamd-Queue-Id: 4McV213w9nz46qS X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of lyndon@orthanc.ca designates 208.79.93.154 as permitted sender) smtp.mailfrom=lyndon@orthanc.ca X-Spamd-Result: default: False [-3.29 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_LONG(-0.99)[-0.986]; R_SPF_ALLOW(-0.20)[+ip4:208.79.93.154]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; ASN(0.00)[asn:25795, ipnet:208.79.88.0/21, country:US]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[orthanc.ca]; RCPT_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Kristof Provost writes: > For those not familiar with it, syncookies are a mechanism to resist syn > flood DoS attacks. They’re enabled by default in the IP stack, but if > you’re running pf a syn flood would still exhaust pf’s state table, > even if the network stack itself could cope. I'm not sure of the lineage of pf's syncookie code in FreeBSD, but before you do this you should look at the recent set of patches Henning committed to the OpenBSD -snapshot pf source. We found an evil bug lurking in pf where, if a single source address was recycling source ports fast enough to re-use the same source addr:port pair while the old connection still had a FINWAIT2 state table entry, the new connection attempt would get dropped on the floor. The patch cleaned up most of the problem, but when we recently put the patched pf into production we were still seeing dropped connection requests. We haven't been able to specifically reproduce the problem yet, but if you're front-ending a busy web site, e.g., I would be wary of enabling syncookies at the moment until this bug gets stamped out once and for all. --lyndon