| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Jan 2020 05:52:45 -0800
From: Eric Dumazet <edumazet@...gle.com>
To: Ttttabcd <ttttabcd@...tonmail.com>
Cc: Netdev <netdev@...r.kernel.org>,
David Miller <davem@...emloft.net>,
"kuznet@....inr.ac.ru" <kuznet@....inr.ac.ru>,
"yoshfuji@...ux-ipv6.org" <yoshfuji@...ux-ipv6.org>
Subject: Re: [PATCH] tcp: Fix tcp_max_syn_backlog limit on connection requests
On Fri, Jan 3, 2020 at 5:19 AM Ttttabcd <ttttabcd@...tonmail.com> wrote:
>
> However, I think that backward compatibility should not be too serious because sysctl_max_syn_backlog is only enabled when syn_cookies is turned off.
>
Yes, but not your new code :
max_syn_backlog = min_t(u32, net->ipv4.sysctl_max_syn_backlog,
sk->sk_max_ack_backlog);
> If sysctl_max_syn_backlog is set small, there is no difference between the original code and the new code.
There is a difference though....
Set sysctl_max_syn_backlog to 1, and start a reasonable test (not a synflood)
As soon as one SYN_RECV request socket is inserted in the hash, other
SYN packets will generate a syncookie, even if the backlog of the
listener is 100,000
I think the intent of the code is to allow a heavy duty server to use
a huge backlog (say 1,000,000) to avoid syncookies if it has enough
RAM.
In this mode, people never had to tweak sysctl_max_syn_backlog.
>
> Only in the BUG scenarios I mentioned in the patch, the system behavior will change, but these are corrections that have no impact on users.
>
> It's just that the part of the request retention queue will not be mistakenly occupied, and earlier use of syn cookies instead of filling up the backlog.
Powered by blists - more mailing lists