Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   tcp_syncookie question (http://www.linux-archive.org/fedora-user/533613-tcp_syncookie-question.html)

Genes MailLists 06-01-2011 02:35 PM

tcp_syncookie question
 
Networking Gurus:

In the past I've set my firewall to use tcp_syncookies - but this
prevents certain tcp options - given the current state of the internet -
can someone opine on whether this should continue to be used or not?

I assume ipv6 is different ..
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Bruno Wolff III 06-01-2011 02:40 PM

tcp_syncookie question
 
On Wed, Jun 01, 2011 at 10:35:18 -0400,
Genes MailLists <lists@sapience.com> wrote:
>
> Networking Gurus:
>
> In the past I've set my firewall to use tcp_syncookies - but this
> prevents certain tcp options - given the current state of the internet -
> can someone opine on whether this should continue to be used or not?

The purpose of syn cookies is to not maintain state locally for partly
opened connections. Doing so makes a denial of service attack very
easy.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Genes MailLists 06-01-2011 03:09 PM

tcp_syncookie question
 
On 06/01/2011 10:40 AM, Bruno Wolff III wrote:
> On Wed, Jun 01, 2011 at 10:35:18 -0400,
> Genes MailLists <lists@sapience.com> wrote:
>>
>> Networking Gurus:
>>
>> In the past I've set my firewall to use tcp_syncookies - but this
>> prevents certain tcp options - given the current state of the internet -
>> can someone opine on whether this should continue to be used or not?
>
> The purpose of syn cookies is to not maintain state locally for partly
> opened connections. Doing so makes a denial of service attack very
> easy.

Right - I understand its purpose and benefits - but networking (and
the speed and window sizes) have changed since 1996 ... my question is
if it is still good practice today to use it?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Bruno Wolff III 06-01-2011 04:57 PM

tcp_syncookie question
 
On Wed, Jun 01, 2011 at 11:09:35 -0400,
Genes MailLists <lists@sapience.com> wrote:
>
> Right - I understand its purpose and benefits - but networking (and
> the speed and window sizes) have changed since 1996 ... my question is
> if it is still good practice today to use it?

Unless there is some other alternate way to maintain state in the packets,
the DoS attacks will still work. If you aren't worried about those you
could turn it off.

Also, my memory is that there is a threshold for switching to syn cookies.
I don't remember where I saw the reference, but if that is correct, you
shouldn't be using them unless your machine is fielding lots of connections.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Genes MailLists 06-01-2011 05:42 PM

tcp_syncookie question
 
On 06/01/2011 12:57 PM, Bruno Wolff III wrote:
> On Wed, Jun 01, 2011 at 11:09:35 -0400,
>
> Unless there is some other alternate way to maintain state in the packets,
> the DoS attacks will still work. If you aren't worried about those you
> could turn it off.
>
> Also, my memory is that there is a threshold for switching to syn cookies.
> I don't remember where I saw the reference, but if that is correct, you
> shouldn't be using them unless your machine is fielding lots of connections.

I believe there was a proposal a few years ago but I don't know what
became of it.

I too recall a threshold below which there should be no effect - that
said I also kind of recall it impacting some other tcp options (window
scaling in particular was squeezed out if I remember right to make room
for the cookie) ...

and therefore some performance degradation when the machine gets busy
... so its never been totally problem free in that sense ...


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Bill Davidsen 06-01-2011 06:20 PM

tcp_syncookie question
 
Genes MailLists wrote:
> On 06/01/2011 12:57 PM, Bruno Wolff III wrote:
>> On Wed, Jun 01, 2011 at 11:09:35 -0400,
>>
>> Unless there is some other alternate way to maintain state in the packets,
>> the DoS attacks will still work. If you aren't worried about those you
>> could turn it off.
>>
>> Also, my memory is that there is a threshold for switching to syn cookies.
>> I don't remember where I saw the reference, but if that is correct, you
>> shouldn't be using them unless your machine is fielding lots of connections.
>
> I believe there was a proposal a few years ago but I don't know what
> became of it.
>
> I too recall a threshold below which there should be no effect - that
> said I also kind of recall it impacting some other tcp options (window
> scaling in particular was squeezed out if I remember right to make room
> for the cookie) ...
>
> and therefore some performance degradation when the machine gets busy
> ... so its never been totally problem free in that sense ...
>
>
Depending on what you do, more than "some." As physical distance goes up and
speed goes up, the penalty for small window size goes up as well. Pulling a
TB/day or so from NY to CA I used large window sizes to make it possible.

--
Bill Davidsen <davidsen@tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Genes MailLists 06-01-2011 06:29 PM

tcp_syncookie question
 
On 06/01/2011 02:20 PM, Bill Davidsen wrote:
as squeezed out if I remember right to make room
>> for the cookie) ...
>>
>> and therefore some performance degradation when the machine gets busy
>> ... so its never been totally problem free in that sense ...
>>
>>
> Depending on what you do, more than "some." As physical distance goes up and
> speed goes up, the penalty for small window size goes up as well. Pulling a
> TB/day or so from NY to CA I used large window sizes to make it possible.
>

As the internet has gotten faster, that was exactly my concern ...
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Bill Davidsen 06-02-2011 04:48 PM

tcp_syncookie question
 
Genes MailLists wrote:
> On 06/01/2011 02:20 PM, Bill Davidsen wrote:
> as squeezed out if I remember right to make room
>
>>> for the cookie) ...
>>>
>>> and therefore some performance degradation when the machine gets busy
>>> ... so its never been totally problem free in that sense ...
>>>
>>>
>>>
>> Depending on what you do, more than "some." As physical distance goes up and
>> speed goes up, the penalty for small window size goes up as well. Pulling a
>> TB/day or so from NY to CA I used large window sizes to make it possible.
>>
>>
> As the internet has gotten faster, that was exactly my concern ...
>
>
Note that other tuning is appropriate for making lots of connections
with small amounts of data on each, vs. a single socket with very large
transfers. We were using multi-GB aggregations, so tuning the initial
window size was less of an impact, while it is very important for
delivering smaller bytes/socket.

--
Bill Davidsen<davidsen@tmr.com>
We are not out of the woods yet, but we know the direction and have
taken the first step. The steps are many, but finite in number, and if
we persevere we will reach our destination. -me, 2010



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


All times are GMT. The time now is 07:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.