lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <5485E05E020000A1000183B4@gwsmtp1.uni-regensburg.de>
Date:	Mon, 08 Dec 2014 17:31:10 +0100
From:	"Ulrich Windl" <Ulrich.Windl@...uni-regensburg.de>
To:	<eric.dumazet@...il.com>
Cc:	<netdev@...r.kernel.org>
Subject: Antw: Re: Q: need effective backlog for listen()

>>> Eric Dumazet <eric.dumazet@...il.com> schrieb am 08.12.2014 um 16:18 in
Nachricht <1418051901.15618.46.camel@...mazet-glaptop2.roam.corp.google.com>:
> On Mon, 2014-12-08 at 13:51 +0100, Ulrich Windl wrote:
>> (not subscribed to the list, plese keep me on CC:)
>> 
>> Hi!
>> 
>> I have a problem I could not find the answer. I suspect the problem
>> arises from Linux derivating from standard functionality...
>> 
>> I have written a server that should accept n TCP connections at most.
>> I was expecting that the backlog parameter of listen will cause extra
>> connection requests either
>> 1) to be refused
>> or
>> 2) to time out eventually
>> 
>> (The standard seems to say that extra connections are refused)
>> 
>> However none of the above see ms true. Even if my server delays
>> accept()ing new connections, no client ever sees a "connection
>> refused" or "connection timed out". Is there any chance to signal the
>> client that no more connections are accepted at the moment?
> 
> This 'standard' makes no sense to me, in light of SYNFLOOD attacks.
> 
> It actually makes SYNFLOOD attacks very effective.
> 
> Have you tried to disable syncookies for a start ?

No, I tries to temporarily close the listening socket. My priority is not to overload the server with connections. At the sime time I _want_ that the clients see that the server resfuses connections. Before you wonder: The client will actually be a load balancer.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ