Re: RFC: enabling pf syncookies by default
Date: Wed, 05 Oct 2022 16:41:44 UTC
On 27 Sep 2022, at 20:24, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > Kristof Provost writes: > >> For those not familiar with it, syncookies are a mechanism to resist syn >> flood DoS attacks. They’re enabled by default in the IP stack, but if >> you’re running pf a syn flood would still exhaust pf’s state table, >> even if the network stack itself could cope. > > I'm not sure of the lineage of pf's syncookie code in FreeBSD, but > before you do this you should look at the recent set of patches > Henning committed to the OpenBSD -snapshot pf source. > > We found an evil bug lurking in pf where, if a single source address > was recycling source ports fast enough to re-use the same source > addr:port pair while the old connection still had a FINWAIT2 state > table entry, the new connection attempt would get dropped on the > floor. The patch cleaned up most of the problem, but when we > recently put the patched pf into production we were still seeing > dropped connection requests. We haven't been able to specifically > reproduce the problem yet, but if you're front-ending a busy web > site, e.g., I would be wary of enabling syncookies at the moment > until this bug gets stamped out once and for all. > I’ve put together a test case for the initial issue: https://reviews.freebsd.org/D36886 That’s not ready to go in, because the bug it tests for isn’t fixed yet. I hope to port the openbsd fix tomorrow, but it’s the sort of thing that needs an hour or two of concentration, so .. maybe, maybe not. Kristof