> On 5. Sep 2025, at 00:26, Peter 'PMc' Much <p...@citylink.dinoex.sub.org> > wrote: > > Folks, > > today I fell victim to a syn flooding party; one of my machines > went offline and needed a full reset to recover. > > Why: > If somebody sends me a SYN (might be spoofed), I reply with SYN-ACK. > If there is a portforwarder in the path, then libalias will > consider this state of affairs a fully established connection, and > preserve the record, for... a day. > > If somebody send me 100 SYN packets per second, then after a few > hour the libalias will have accumulated millions of these records. > They go into a tailq. And at that size, the network receiving > thread searching through that will run at 100% CPU. > > That receiving thread is a network interrupt, prio 8, so if the > machine is a single vcore KVM, it won't do much else anymore. > > As a quick measure I have now tried to change libalias to require a > bit more data before making the timeout that long. But in the > meantime the idiots have stopped their nonsense, so there is no > test. > > Comments, anybody? That seems to be a problem of libalias. What middlebox setup are you using?
Best regards Michael > > cheerio, > PMc >
