Re: TCP SYN cookies and Bug #520668
* Peter Palfrader:
> On Sat, 13 Feb 2010, Florian Weimer wrote:
>
>> * Craig Small:
>>
>> > While initially skeptical, I can see that under high TCP loads having
>> > some sort of connection is better than having no connection. Connections
>> > with large windows will be dropped, but they would be anyhow.
>>
>> This argument ignores the non-attack overload case. Lack of window
>> scaling may increase the load (in terms of the number of connections
>> required for achieve a certain level of aggregated bandwidth), making
>> such situations worse.
>>
>> (Window scaling is more important than it used to be because
>> bandwidth-delay products tend to be larger these days.)
>
> AIUI syn cookies will not affect anything while things are normal, that
> is window scaling and other TCP options will still work as they should.
Correct.
> Once the syn queue gets full and new connections would be dropped syn
> cookies start becoming active, still accepting connections but without
> options such as window scaling enabled.
These connections are not "accepted" in the sockets API sense, they
are put on the queue as before, only after source address validation.
In an overload scenario, this means that all new connections will have
window scaling disabled, reducing bandwidth per connection, and
perhaps contributing further to the overload situation.
We might consider this scenario too obscure to matter.
BTW, will users think that the current warning ("possible SYN flooding
on port %d. Sending cookies") always indicates an attack? Hopefully
not.
Reply to: