[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...
Simon Iremonger
ubuntu at iremonger.me.uk
Thu May 24 12:15:10 UTC 2018
FWIW Although syncookies has long-since been enabled upstream, the
outdated comments in sysctl about syncookies still persist, I have now
created new ubuntu bug #1773157 [please comment there].
[This also requests ECN-on-outgoing enablement which has similarly
matured etc.].
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/57091
Title:
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
permit SYN flood defense...
Status in procps package in Ubuntu:
Fix Released
Bug description:
This is intended to be a 'wishlist' wulnerability -- w.r.t. procps and
Edgy.
In my opinion,the /etc/sysctl.conf should have
'proc/sys/net/ipv4/tcp_syncookies=1' in order to permit the linux
SYNcookies syn-flood trivial DoS attack to be mitigated as-necessary,
by default.
Note that the disadvantages of connections initiated w/ SYNcookies
enabled only apply when the system is under attack (SYN queue getting
rather full), as the syncookies reply-with-only-one-SYN+ACK behaviour
only 'kicks in' when the system has a SYN_RECVD backlog problem. (If
SYNcookies were not permitted incoming TCP connections have a very low
chance of succeeding at all while under SYN-flood attack).
Without this setting enabled, any TCP services on the machine can be
DoSed from a dial-up line sending a stream of SYN packets from weird
source addresses to open TCP ports like Samba/VNC/http/whatever....
Does anybody have any legitimate reason tcp_syncookies should be disabled?
Some people claimed that SYNcookies break some RFCs once but I have
not seen any evidence to this effect, only notes from djb saying that
this is not true.
Comments wanted please ;-)
Thankyou in advance,
-- enyc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions
More information about the foundations-bugs
mailing list