| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191031033632.GE29986@1wt.eu>
Date: Thu, 31 Oct 2019 04:36:32 +0100
From: Willy Tarreau <w@....eu>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <eric.dumazet@...il.com>,
Neal Cardwell <ncardwell@...gle.com>,
Yuchung Cheng <ycheng@...gle.com>, Yue Cao <ycao009@....edu>
Subject: Re: [PATCH net] net: increase SOMAXCONN to 4096
On Wed, Oct 30, 2019 at 09:36:20AM -0700, Eric Dumazet wrote:
> SOMAXCONN is /proc/sys/net/core/somaxconn default value.
>
> It has been defined as 128 more than 20 years ago.
>
> Since it caps the listen() backlog values, the very small value has
> caused numerous problems over the years, and many people had
> to raise it on their hosts after beeing hit by problems.
>
> Google has been using 1024 for at least 15 years, and we increased
> this to 4096 after TCP listener rework has been completed, more than
> 4 years ago. We got no complain of this change breaking any
> legacy application.
>
> Many applications indeed setup a TCP listener with listen(fd, -1);
> meaning they let the system select the backlog.
>
> Raising SOMAXCONN lowers chance of the port being unavailable under
> even small SYNFLOOD attack, and reduces possibilities of side channel
> vulnerabilities.
Just a quick question, I remember that when somaxconn is greater than
tcp_max_syn_backlog, SYN cookies are never emitted, but I think it
recently changed and there's no such constraint anymore. Do you
confirm it's no more needed, or should we also increase this latter
one accordingly ?
Willy
Powered by blists - more mailing lists