Re: Too many sockets in SYN_RECV

To: Marek Podmaka <marki@marki-online.net>
Cc: debian-isp@lists.debian.org
Subject: Re: Too many sockets in SYN_RECV
From: Thomas Goirand <thomas@goirand.fr>
Date: Wed, 07 Dec 2011 22:57:19 +0800
Message-id: <[🔎] 4EDF7ECF.7090602@goirand.fr>
In-reply-to: <[🔎] 908830125.20111207113035@marki-online.net>
References: <[🔎] 1315535110.20111206103003@marki-online.net> <[🔎] 4EDDF3D7.1020001@debian.org> <[🔎] 908830125.20111207113035@marki-online.net>

On 12/07/2011 06:30 PM, Marek Podmaka wrote:
> Hello,
> 
> Tuesday, December 6, 2011, 11:52:07, Thomas Goirand wrote:
> 
>> Have you tried using syn cookies? That normally helps a lot when you
>> have a great amount of connections. I'm not sure if the Debian kernel
>> uses it by default though (you might need to rebuild the kernel???).
> 
> I have just enabled them (they are compiled in debian kernel, but
> disabled by default) and it seems to help.
> Can you explain why syncookies do help also in my case of many
> connections (without any DDoS attack)? Or the other way - why the
> kernel can't handle the new connections without syncookies?

Ok, I'll explain.

Normally, when you receive a TCP connection, you'd receive a SYN
request. Your server then would reply with a SYN_ACK (which, obviously,
is both a SYN and an ACK). The TCP connection is really established when
you receive a last ACK form the originator of the first SYN packet
you've received at the beginning of the negotiation.

All these exchanges are there to make sure that data can be sent both
ways before declaring connectivity. The only issue is that between the
first SYN and the last ACK, some resources are being allocated (eg:
memory segments, or storage space in a table, or any kernel internals
which I don't really know about: I didn't have a look into the code).

So, to avoid resource exhaustion when you receive so many SYN, instead
of allocating some resources, in your SYN_ACK you send a cookie which is
a kind of cryptography magic number that your server will be able to
recognize when it will receive the ACK. This way, your Linux kernel
doesn't have to allocate any resources at all when it receives a SYN
packet. Your kernel just basically sends SYN_ACK when it receives a SYN
packet, and doesn't do anything else. It only starts allocating
resources when it receives a *valid* ACK packet.

I hope you understood my (very bad) explanations about syncookies! :)
If you don't get some of what I explained, please ask.

To me, this should be enabled by default, as I think it's a very nice
feature.

Thomas

Reply to:

References:
- Too many sockets in SYN_RECV
  - From: Marek Podmaka <marki@marki-online.net>
- Re: Too many sockets in SYN_RECV
  - From: Thomas Goirand <zigo@debian.org>
- Re: Too many sockets in SYN_RECV
  - From: Marek Podmaka <marki@marki-online.net>

Prev by Date: Re: Too many sockets in SYN_RECV
Next by Date: Re: Too many sockets in SYN_RECV
Previous by thread: Re: Too many sockets in SYN_RECV
Next by thread: Re: Too many sockets in SYN_RECV
Index(es):
- Date
- Thread