lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAvyFNiojSM-8euLLuuuZ5bDi0CKmoevncs3OQVLzrao1-Q4Jg@mail.gmail.com> Date: Fri, 11 Nov 2022 10:38:48 +1000 From: Jamie Bainbridge <jamie.bainbridge@...il.com> To: Stephen Hemminger <stephen@...workplumber.org> Cc: Eric Dumazet <edumazet@...gle.com>, "David S. Miller" <davem@...emloft.net>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, David Ahern <dsahern@...nel.org>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] tcp: Add listening address to SYN flood message On Fri, 11 Nov 2022 at 09:39, Stephen Hemminger <stephen@...workplumber.org> wrote: > > On Thu, 10 Nov 2022 21:21:06 +1100 > Jamie Bainbridge <jamie.bainbridge@...il.com> wrote: > > > + xchg(&queue->synflood_warned, 1) == 0) { > > +#if IS_ENABLED(CONFIG_IPV6) > > + if (sk->sk_family == AF_INET6) { > > + net_info_ratelimited("%s: Possible SYN flooding on port %d. IP %pI6c. %s. Check SNMP counters.\n", > > + proto, sk->sk_num, > > + &sk->sk_v6_rcv_saddr, msg); > > + } else > > +#endif > > + { > > + net_info_ratelimited("%s: Possible SYN flooding on port %d. IP %pI4. %s. Check SNMP counters.\n", > > + proto, sk->sk_num, &sk->sk_rcv_saddr, msg); > > + } > > + } > > > > Port number is unsigned not signed. > Message also seems overly wordy to me. Thanks for bringing this up. I agree with you. I'd like to remove "Check SNMP counters" as it's not helpful to users. How do they do that? (note userspace has changed from net-tools "netstat -s" to iproute "nstat" since this message was added). Check counters for what? If they even figure out the LISTEN stats are growing, there's still troubleshooting to determine if the SYNs are genuine or malicious, check/increase somaxconn and the socket listen() backlog, check/improve application accept() performance, etc... This is way too much to describe in a kernel log message, and it's the job of the log message to be "descriptive" of what happened, not "prescriptive" of policy to follow and cover every troubleshooting possibility. I will re-submit with a second patch removing this phrase. Jamie
Powered by blists - more mailing lists