[Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense...

Simon Iremonger ubuntu at iremonger.me.uk
Mon Feb 15 16:08:02 UTC 2016 

Upstream kernel have decided to enable syncookies by default (according to that debian bug, since Linux 2.6.37!).
This makes sense, as the main downsides have already been resolved (especially window scaling even under syncookies-activation), and this feature only kicks-in if the SYN-queue is overloaded.

We might now consider taking out this (now superfluous) tcp_syncookies
entry from /etc/sysctl.d/10-network-security.conf ...


I think, a similar situation has now arisen with respect to the
"tcp_ecn" setting, where the (conservative) (enabled by default)
fallback mechanism in the kernel, along with the rarity of ecn-
intolerance, along with the wide ECN-adoption in practice in Apple ios /
MAC OS X now, along with the importance of ECN for smooth responsive
internet in the face of congestion, means that this tcp_ecn setting
should similarly be seriously considered.   This should be the subject
of new bug report right-soon-now =).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/57091

Title:
  proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
  permit SYN flood defense...

Status in procps package in Ubuntu:
  Fix Released

Bug description:
  This is intended to be a 'wishlist' wulnerability -- w.r.t. procps and
  Edgy.

  In my opinion,the /etc/sysctl.conf should have
  'proc/sys/net/ipv4/tcp_syncookies=1' in order to permit the linux
  SYNcookies syn-flood trivial DoS attack to be mitigated as-necessary,
  by default.

  Note that the disadvantages of connections initiated w/ SYNcookies
  enabled only apply when the system is under attack (SYN queue getting
  rather full), as the syncookies reply-with-only-one-SYN+ACK behaviour
  only 'kicks in' when the system has a SYN_RECVD backlog problem.  (If
  SYNcookies were not permitted incoming TCP connections have a very low
  chance of succeeding at all while under SYN-flood attack).

  Without this setting enabled, any TCP services on the machine can be
  DoSed from a dial-up line sending a stream of SYN packets from weird
  source addresses to open TCP ports like Samba/VNC/http/whatever....

  
  Does anybody have any legitimate reason tcp_syncookies should be disabled?

  Some people claimed that SYNcookies break some RFCs once but I have
  not seen any evidence to this effect, only notes from djb saying that
  this is not true.

  Comments wanted please ;-)
  Thankyou in advance,
  -- enyc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/57091/+subscriptions

More information about the foundations-bugs mailing list