Re: RFC: enabling pf syncookies by default

On 27 Sep 2022, at 21:24, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
> Kristof Provost writes:
>
>> For those not familiar with it, syncookies are a mechanism to resist syn
>> flood DoS attacks. They’re enabled by default in the IP stack, but if
>> you’re running pf a syn flood would still exhaust pf’s state table,
>> even if the network stack itself could cope.
>
> I'm not sure of the lineage of pf's syncookie code in FreeBSD, but
> before you do this you should look at the recent set of patches
> Henning committed to the OpenBSD -snapshot pf source.
>
> We found an evil bug lurking in pf where, if a single source address
> was recycling source ports fast enough to re-use the same source
> addr:port pair while the old connection still had a FINWAIT2 state
> table entry, the new connection attempt would get dropped on the
> floor.  The patch cleaned up most of the problem, but when we
> recently put the patched pf into production we were still seeing
> dropped connection requests.  We haven't been able to specifically
> reproduce the problem yet, but if you're front-ending a busy web
> site, e.g., I would be wary of enabling syncookies at the moment
> until this bug gets stamped out once and for all.
>
Thanks for this update. Henning told me about the fast re-use issue during EuroBSD, and I had looking at that on my todo list.

I’ve not yet heard any reports of similar issues on FreeBSD, but that doesn’t mean they don’t exist of course.

At a minimum I’ll hold off on making this change until I’ve had a chance to work out if we’re affected by the issue Henning fixed or not.

Eirik, do you have instrumentation to work out if this is happening to you?

Best regards,
Kristof