Comment 28 for bug 57091
Revision history for this message
| Simon Iremonger (ubuntu-iremonger) wrote Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense... | #28 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Bog standard 16.04 has it turned on (from the above referenced 10
> -network-
> But, if you then enabled ufw, it gets disabled, due to the default
> setting in /etc/ufw/
> There seems to be serious debate as to whether or not enabling it is
> correct.
I haven't seen why not to enable use of adaptive syncookies, aiui
this creates no _disadvantage_ if not being triggered...
I CAN understand that for some scenarios the 'right thing to do'
is Increase the tcp_max_syn_backlog as cookies are triggering too
easily, even then it won't stop connections being accepted albeit
with less tcp options possible, but then without syncookies
the connections would be dropped as the syn queue fills...
> What I know is that I just spent two hours trying to figure out why SANE
> took forever to detect my network scanner, and this syslog entry clued
> me in:
> Oct 6 22:54:26 hiro kernel: [48562.817258] TCP: request_sock_TCP:
> Possible SYN flooding on port 34029. Dropping request. Check SNMP
> The dropped request was responsible for the delay. If I enable syn
> cookies, I get:
> Oct 6 22:57:28 hiro kernel: [48744.796029] TCP: request_sock_TCP:
> Possible SYN flooding on port 42041. Sending cookies. Check SNMP
> capture it, there's ONE SYN request and the kernel thinks it's a
> "flood".. which makes no sense.
Weird :).
I can't say I'm familiar with uwf, but I wonder if it is somehow
oversensitive in its' own ip(6)tables or they are fiddling with:-
/proc/sys/
Do raise bug in the ufw // ufw sysctl.conf .... Also email me
separately the relevant bug numbers etc., be curious to see!!
- --Simon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Topal (http://
iF4EAREIAAYFAlf
6hZOZ6tcnbecljP
=Fh0+
-----END PGP SIGNATURE-----