TCP socket backlog set too low ("request_sock_TCP: Possible SYN flooding on port ...")
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenVPN |
Unknown
|
Unknown
|
|||
openvpn (Debian) |
Fix Released
|
Unknown
|
|||
openvpn (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Athos Ribeiro | ||
Focal |
Fix Released
|
Undecided
|
Athos Ribeiro |
Bug Description
[Impact]
Having the listen backlog (the TCP pending connections queue) set to 1, means that only one connection can be in a "waiting for an 'accept' call" state. If more connections are coming through in that window, i.e., before the connection in the queue is accepted, these additional connections will be ignored.
While the short time a system usually takes to clear that queue combined with the possibility of a connection being reset and retried by a client will diminish the impact of the queue maximum size on the users, special cases where too many connections are being received in a short time span may result in many of those connection requests to either take a long time to be processed or to fail. One example of such cases is when the openvpn server is restarted.
The proposed patch increases the listen backlog size to an arbitrary, larger size proposed and accepted upstream in https:/
[Test Plan]
* I am attaching scripts to reproduce/test the bug and the fix, since the scripts may be a bit long. Below is a short summary on how to test (describing the steps taken by the attached scripts).
- Configure and start an openvpn server
- Perform several TCP connections to that server in a short time span, while measuring the time the whole connection batch takes to be accepted. You can also count the number of connections that get reset.
- Apply the proposed patch
- Verify how the time for the same operation described above is drastically reduced. You can also verify that the number of reset connections dropped (possibly to zero, depending on the amount of connections being performed).
Here is a python script that could be used to perform the tests on a running server:
```
import socket
import threading
HOST = 'localhost'
PORT = 1194
def run(name):
for i in range(5):
s = socket.
try:
data = s.recv(1024)
except ConnectionReset
threads = []
for i in range(500):
t = threading.
threads.
for t in threads:
t.start()
for t in threads:
t.join()
```
[Where problems could occur]
When this fix was proposed upstream, the opening line from the submitter read
'For reasons historically unknown, OpenVPN sets the listen() backlog
queue to "1"'...
While changing the queue size did not cause regressions in the version of OpenVPN where the patch was applied (nor in the subsequent versions), backporting the patch to an arbitrary openVPN version could reveal a "historically unknown reason", forcing us to either fix it or revert this patch.
Such regressions may include networking errors, mostly related to the TCP features of the openvpn server. One symptom that can occur when the requests are not being processed in time is having the following message in demesg output: "Possible SYN flooding on port ${PORT}".
[Other Info]
Upstream bug report with relevant discussion: https:/
Upstream patch and more relevant discussion: https://<email address hidden>
[Original report]
See upstream bug reports:
- https:/
- https:/
Openvpn < 2.4.8 opens the TCP port with a too small backlog, and on kernels > 4.3 that leads to incoming connections being dropped. This kernel message is a symptom:
TCP: request_sock_TCP: Possible SYN flooding on port 1194. Dropping request. Check SNMP counters.
I experienced this on a Bionic 18.04.5 (after having upgraded from Xenial) with openvpn 2.4.4-2ubuntu1.5
Fixed upstream.
Related branches
- Bryce Harrington (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 81 lines (+59/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/increase-listen-backlog-queue-to-32.patch (+51/-0)
debian/patches/series (+1/-0)
- Bryce Harrington (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 81 lines (+59/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/increase-listen-backlog-queue-to-32.patch (+51/-0)
debian/patches/series (+1/-0)
Changed in openvpn (Debian): | |
status: | Unknown → Fix Released |
Changed in openvpn (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in openvpn (Ubuntu Focal): | |
status: | New → Triaged |
Changed in openvpn (Ubuntu): | |
status: | Triaged → Fix Committed |
Changed in openvpn (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in openvpn (Ubuntu Bionic): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
Changed in openvpn (Ubuntu Focal): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
description: | updated |
Changed in openvpn (Ubuntu Bionic): | |
status: | Triaged → In Progress |
Changed in openvpn (Ubuntu Focal): | |
status: | Triaged → In Progress |
Thank you for the bug report.
I did not try to reproduce this bug, but I can confirm that the problematic code is in the Bionic and Focal versions of OpenVPN. Therefore, I am marking this as Triaged.
I will talk to someone from our team about SRU'ing this.