Date: Wed, 05 Oct 2022 17:41:44 +0100 From: Kristof Provost <kp@FreeBSD.org> To: "Lyndon Nerenberg (VE7TFX/VE6BBM)" <lyndon@orthanc.ca> Cc: FreeBSD pf <freebsd-pf@freebsd.org>, Eirik =?utf-8?q?=C3=98verby?= <eirik.overby@modirum.com> Subject: Re: RFC: enabling pf syncookies by default Message-ID: <58A14C48-3248-4D41-884C-93190AAFCD2C@FreeBSD.org> In-Reply-To: <ba35872719a2d75e@orthanc.ca> References: <BF7E3C1C-CC06-4874-821E-2B3BBDC2F467@FreeBSD.org> <ba35872719a2d75e@orthanc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 Sep 2022, at 20:24, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > Kristof Provost writes: > >> For those not familiar with it, syncookies are a mechanism to resist s= yn >> flood DoS attacks. They=E2=80=99re enabled by default in the IP stack,= but if >> you=E2=80=99re running pf a syn flood would still exhaust pf=E2=80=99s= state table, >> even if the network stack itself could cope. > > I'm not sure of the lineage of pf's syncookie code in FreeBSD, but > before you do this you should look at the recent set of patches > Henning committed to the OpenBSD -snapshot pf source. > > We found an evil bug lurking in pf where, if a single source address > was recycling source ports fast enough to re-use the same source > addr:port pair while the old connection still had a FINWAIT2 state > table entry, the new connection attempt would get dropped on the > floor. The patch cleaned up most of the problem, but when we > recently put the patched pf into production we were still seeing > dropped connection requests. We haven't been able to specifically > reproduce the problem yet, but if you're front-ending a busy web > site, e.g., I would be wary of enabling syncookies at the moment > until this bug gets stamped out once and for all. > I=E2=80=99ve put together a test case for the initial issue: https://revi= ews.freebsd.org/D36886 That=E2=80=99s not ready to go in, because the bug it tests for isn=E2=80= =99t fixed yet. I hope to port the openbsd fix tomorrow, but it=E2=80=99s= the sort of thing that needs an hour or two of concentration, so .. mayb= e, maybe not. Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58A14C48-3248-4D41-884C-93190AAFCD2C>