FWIW Although syncookies has long-since been enabled upstream, the
outdated comments in sysctl about syncookies still persist, I have now
created new ubuntu bug #1773157 [please comment there].
[This also requests ECN-on-outgoing enablement which has similarly
matured etc.].
--
You receive
I filed a request for ufw not to override
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1737585
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091
Title:
proc/sys/net/ipv4/tcp_syncookies=1 sho
Will do, Simon.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/57091
Title:
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to
permit SYN flood defense...
To manage notifications
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
> Bog standard 16.04 has it turned on (from the above referenced 10
> -network-security.conf).
> But, if you then enabled ufw, it gets disabled, due to the default
> setting in /etc/ufw/sysctl.conf.
> There seems to be serious debate as to whether o
Well, and it gets more interesting.
Bog standard 16.04 has it turned on (from the above referenced 10
-network-security.conf).
But, if you then enabled ufw, it gets disabled, due to the default
setting in /etc/ufw/sysctl.conf.
There seems to be serious debate as to whether or not enabling it is
Here is the entry from ...10-network-security.conf from 16.04 (although
from Desktop edition)
"
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the sy
Upstream kernel have decided to enable syncookies by default (according to that
debian bug, since Linux 2.6.37!).
This makes sense, as the main downsides have already been resolved (especially
window scaling even under syncookies-activation), and this feature only
kicks-in if the SYN-queue is ov
On Fri, 9 Oct 2009, Olaf van der Spek wrote:
> Has this request been forwarded upstream (lkml)?
Not that I am aware of.
It would be good for this confusion/misinformation to get sorted
out properly.
Why is it that some wish to make sweeping statements and not
understand the whole situation?
Has this request been forwarded upstream (lkml)?
--
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
-
>> Ah, nice. I kinda expected a link to the package version in which it
got fixed.
The silly thing is
There is misinformation in the /etc/sysctl.conf now!
It says:-
"# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)"
First of all that is incorrect as a blanket statement.
On Fri, Sep 25, 2009 at 4:56 PM, Kees Cook wrote:
> Olaf: that's why it is "fix released". :) It is enabled in Ubuntu now.
Ah, nice. I kinda expected a link to the package version in which it got
fixed.
--
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN
flood
Ah, nevermind, I can't read, it's at the bottom of that message.
On Fri, Sep 25, 2009 at 5:18 PM, Olaf van der Spek wrote:
> On Fri, Sep 25, 2009 at 4:56 PM, Kees Cook wrote:
>> Olaf: that's why it is "fix released". :) It is enabled in Ubuntu now.
>
> Ah, nice. I kinda expected a link to the
Olaf: that's why it is "fix released". :) It is enabled in Ubuntu now.
--
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520668
** Bug watch added: Debian Bug tracker #520668
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520668
--
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN
flood defense...
https://bugs.launchpad.net/bugs/5
Are there any updates on this issue?
I don't see any counter arguments to the fact syn cookies only take effect
after the queue is full.
Ideally this would be changed upstream, maybe an Ubuntu kernel dev could
contact upstream about this?
--
proc/sys/net/ipv4/tcp_syncookies=1 should be seriousl
> Yes please.
Ok.
> I would initially assume that some other issue has caused the
> kernel to stop handling network traffic rather than high network traffic
> stopping the kernel.
The kernel did not stop, nor did the networking or anything else other
than X.
--
proc/sys/net/ipv4/tcp_syncookies
On Tue, May 19, 2009 at 04:11:18PM -, pablomme wrote:
> Should I open a new bug report with this?
Yes please. I would initially assume that some other issue has caused the
kernel to stop handling network traffic rather than high network traffic
stopping the kernel.
--
proc/sys/net/ipv4/tcp_
I think this may have introduced a regression. While using aMule on my
amd64 Jaunty desktop, there is a point at which the screen freezes and X
stops responding to input (the mouse pointer moves, but it does not
interact with anything). Ctrl-Shift-F1-6 won't drop me to a TTY. I
believe the hang aff
procps (1:3.2.7-11ubuntu1) jaunty; urgency=low
* Merge from debian unstable, remaining changes:
- debian/{postinst,rules}: init script to priority 17, remove on upgrade.
- debian/rules (Ubuntu-specific):
- install sysctl files from new sysctl.d directory.
- append debian/sysc
On Thu, 23 Oct 2008, KimOlsen wrote:
>> "...option causes the system to violate the TCP standard..."
> I do not think this is the case. If you check RFC4732 they list this as
> a possible way to help against DoS attacks.
> I also believe that window scaling is not affected, but large windows
> are
>"...option causes the system to violate the TCP standard..."
I do not think this is the case. If you check RFC4732 they list this as
a possible way to help against DoS attacks.
I also believe that window scaling is not affected, but large windows
are. But accepting legit traffic without large wi
** Changed in: ubuntu
Status: Invalid => Incomplete
--
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN
flood defense...
https://bugs.launchpad.net/bugs/57091
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
On Fri, 12 Sep 2008, Kees Cook wrote:
> Enabling syncookies disables TCP window scaling[1],
I think this is incorrect as-stated But this should be
confirmed/proved/disproved.
As far as I have found out elsewhere, the syn-cookies support
in Linux is adaptive, and does NOT come into play u
Enabling syncookies disables TCP window scaling[1], and in most situations,
existing SYN-flood protections in the kernel
already address most sorts of those attacks. In some situations (perhaps like
what alecm3 was experiencing) there are situations it might be needed, but for
a default, I am
We installed 2 production servers and suddenly we started getting
strange connection problems, with no errors in the application or system
logs. The problems were highly intermittent, but amounted to being
unable to connect to a port our TCP server was receiving client internet
connections on.
Aft
SYN cookies are disabled by default in Ubuntu for the same reason they
are disabled by default in the kernel. According to the kernel
documentation, use of this option causes the system to violate the TCP
standard, and so is only intended to be used to mitigate an attack in
progress.
** Changed i
Jeremy,
I can confirm that SYNcookies are NOT part of the firewall mechanism of the
kernel.
CONFIG_NETFILTER option in linux 2.6 is the toggle for linux packet
filtering support called 'netfilter'(iptables)... There are many sub-
choices/options for netfilter.
CONFIG_SYN_COOKIES however is a dif
Sorry, I didn't know that ftp was not a server program...
My point of view is that it should not be activated by default, but
should be easily configurable with a GUI, probably the same GUI that
should configure the FW.
I add the ubuntu network team and the ubuntu security team to the bug.
--
p
For me syncookies is the same problem as FW is.
As you said, as long as you don't start a network service, your computer is
safe. If you start a SSH server or whatever, you have to protect your system
from DoS or other attacks...
(By the way, if your server is reachable from the internet, as soo
On Mon, 21 Aug 2006, Jeremy Vies wrote:
> I think "tcp_syncookies" is considered as part of the FW mechanism of the
> kernel.
> As Dapper (and previous releases) does not provide any FW out of the box, it
> is normal that tcp_syncookies are not activated by default.
> Your bug repport should be p
Hi enyc,
I think "tcp_syncookies" is considered as part of the FW mechanism of the
kernel.
As Dapper (and previous releases) does not provide any FW out of the box, it is
normal that tcp_syncookies are not activated by default.
Your bug repport should be put as a wish for next release, and maybe
31 matches
Mail list logo
