Re: test SYN cookies (was Re: SYN cookies security bugfix?)

Ed L Cashin (ecashin@terry.uga.edu)
10 Nov 2001 17:04:47 -0500


Ed L Cashin <ecashin@terry.uga.edu> writes:

...
> What is a good way to test SYN cookies? I can induce a three-second
> delay (on victim host V) before new TCP connections are accepted by
> sending a burst of 2000 SYN packets (from attacker A), where V is
> running a 2.2.14 or 2.2.17 kernel. During the three seconds ICMP echo
> requests from A to V are being answered.
>
> Turning on SYN cookies after /proc is mounted does not affect the
> three-second pause, though, so I figure that either the pause is not
> on account of a full half-open connection queue or SYN cookies are not
> working.

OK, I have found out that when I use three hosts to try to test SYN
cookies there is no pause, so the pause was a red herring. However,
tests still seem to indicate that the SYN cookies feature doesn't do
anything.

Host A sends a SYN flood to host B, now sporting a new 2.2.20 kernel
(with SYN cookie support, of course). Host C makes repeated TCP
connections and ICMP echo requests to host B in order to monitor host
B.

However, even after setting tcp_max_syn_backlog to 1 on host B, I do
not observe any difference in connection times (from B to C) during a
SYN flood (from A to B) whether tcp_syncookies are on or off on host B
(1 or 0). I am restarting the server on B each time I make an
adjustment in /proc.

Is there anyone who has any evidence that SYN cookies do anything in
kernel 2.2.x? If so, how did you get that evidence, because I would
like to reproduce it.

-- 
--Ed Cashin                   PGP public key:
  ecashin@terry.uga.edu       http://www.terry.uga.edu/~ecashin/pgp/

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/