Public bug reported:
This is intended to be a 'wishlist' wulnerability -- w.r.t. procps and
Edgy.
In my opinion,the /etc/sysctl.conf should have
'proc/sys/net/ipv4/tcp_syncookies=1' in order to permit the linux
SYNcookies syn-flood trivial DoS attack to be mitigated as-necessary, by
default.
Note that the disadvantages of connections initiated w/ SYNcookies
enabled only apply when the system is under attack (SYN queue getting
rather full), as the syncookies reply-with-only-one-SYN+ACK behaviour
only 'kicks in' when the system has a SYN_RECVD backlog problem. (If
SYNcookies were not permitted incoming TCP connections have a very low
chance of succeeding at all while under SYN-flood attack).
Without this setting enabled, any TCP services on the machine can be
DoSed from a dial-up line sending a stream of SYN packets from weird
source addresses to open TCP ports like Samba/VNC/http/whatever....
Does anybody have any legitimate reason tcp_syncookies should be disabled?
Some people claimed that SYNcookies break some RFCs once but I have not
seen any evidence to this effect, only notes from djb saying that this
is not true.
Comments wanted please ;-)
Thankyou in advance,
-- enyc
** Affects: procps (Ubuntu)
Importance: Untriaged
Status: Unconfirmed
--
proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN
flood defense...
https://launchpad.net/bugs/57091
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
