lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 11 Nov 2022 10:38:48 +1000
From:   Jamie Bainbridge <jamie.bainbridge@...il.com>
To:     Stephen Hemminger <stephen@...workplumber.org>
Cc:     Eric Dumazet <edumazet@...gle.com>,
        "David S. Miller" <davem@...emloft.net>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tcp: Add listening address to SYN flood message

On Fri, 11 Nov 2022 at 09:39, Stephen Hemminger
<stephen@...workplumber.org> wrote:
>
> On Thu, 10 Nov 2022 21:21:06 +1100
> Jamie Bainbridge <jamie.bainbridge@...il.com> wrote:
>
> > +         xchg(&queue->synflood_warned, 1) == 0) {
> > +#if IS_ENABLED(CONFIG_IPV6)
> > +             if (sk->sk_family == AF_INET6) {
> > +                     net_info_ratelimited("%s: Possible SYN flooding on port %d. IP %pI6c. %s.  Check SNMP counters.\n",
> > +                                     proto, sk->sk_num,
> > +                                     &sk->sk_v6_rcv_saddr, msg);
> > +             } else
> > +#endif
> > +             {
> > +                     net_info_ratelimited("%s: Possible SYN flooding on port %d. IP %pI4. %s.  Check SNMP counters.\n",
> > +                                     proto, sk->sk_num, &sk->sk_rcv_saddr, msg);
> > +             }
> > +     }
> >
>
> Port number is unsigned not signed.
> Message also seems overly wordy to me.

Thanks for bringing this up. I agree with you.

I'd like to remove "Check SNMP counters" as it's not helpful to users.

How do they do that? (note userspace has changed from net-tools
"netstat -s" to iproute "nstat" since this message was added). Check
counters for what? If they even figure out the LISTEN stats are
growing, there's still troubleshooting to determine if the SYNs are
genuine or malicious, check/increase somaxconn and the socket listen()
backlog, check/improve application accept() performance, etc...

This is way too much to describe in a kernel log message, and it's the
job of the log message to be "descriptive" of what happened, not
"prescriptive" of policy to follow and cover every troubleshooting
possibility.

I will re-submit with a second patch removing this phrase.

Jamie

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ