Re: RFC: enabling pf syncookies by default

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 28 Sep 2022 10:00:48 UTC
On 28 Sep 2022, at 11:53, Eirik Øverby wrote:
> On Wed, 2022-09-28 at 11:44 +0200, Kristof Provost wrote:
>> On 27 Sep 2022, at 21:24, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
>>> Kristof Provost writes:
>>>
>>>> For those not familiar with it, syncookies are a mechanism to resist syn
>>>> flood DoS attacks. They’re enabled by default in the IP stack, but if
>>>> you’re running pf a syn flood would still exhaust pf’s state table,
>>>> even if the network stack itself could cope.
>>>
>>> I'm not sure of the lineage of pf's syncookie code in FreeBSD, but
>>> before you do this you should look at the recent set of patches
>>> Henning committed to the OpenBSD -snapshot pf source.
>>>
>>> We found an evil bug lurking in pf where, if a single source address
>>> was recycling source ports fast enough to re-use the same source
>>> addr:port pair while the old connection still had a FINWAIT2 state
>>> table entry, the new connection attempt would get dropped on the
>>> floor.  The patch cleaned up most of the problem, but when we
>>> recently put the patched pf into production we were still seeing
>>> dropped connection requests.  We haven't been able to specifically
>>> reproduce the problem yet, but if you're front-ending a busy web
>>> site, e.g., I would be wary of enabling syncookies at the moment
>>> until this bug gets stamped out once and for all.
>>>
>> Thanks for this update. Henning told me about the fast re-use issue during EuroBSD, and I had looking at that on my todo list.
>>
>> I’ve not yet heard any reports of similar issues on FreeBSD, but that doesn’t mean they don’t exist of course.
>>
>> At a minimum I’ll hold off on making this change until I’ve had a chance to work out if we’re affected by the issue Henning fixed or not.
>>
>> Eirik, do you have instrumentation to work out if this is happening to you?
>
> Sadly no - we'd need some guidance on that. But I assume it would only
> be an issue if we're above the watermark for adaptive mode, right?
>
Yes. While we’re inactive in adaptive mode there’s no difference in behaviour.

Kristof