Details
-
Task
-
Resolution: Fixed
-
Minor
-
None
-
None
-
None
-
None
Description
Hi all,
radsecproxy (1.6.5) is dropping requests after upgrading to Ubuntu 16.04 LTS, when syncookies are disabled (ex: ufw is in use).
In kern.log we had:
Jan 17 ************ kernel: [28216.815253] TCP: request_sock_TCP: Possible SYN flooding on port 2083. Dropping request. Check SNMP counters.
The behavior is the same with 1.6.8.
Since a kernel change ( see http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=ef547f2ac16bd9d77a780a0e7c70857e69e8f23f)
calling the listen syscall with a backlog value of 0 (tls.c:356, tls.c:470) will drop requests, when syncookies are disabled.
Enabling syncookies is a workaround, which will prevent dropping packets when the backlog value is reached.
Changing the backlog parameter to 16 for example, fixes the issue.
/radsecproxy-1.6.8# grep -n "listen(" -r *
tcp.c:356: listen(*sp, 16);
tls.c:470: listen(*sp, 16);
Other applications are/were affected as well. Some forum threads suggest to set the backlog value to 1.
Best regards,
Michael Becker
__________________________________
Michael Becker
Head of IT Operations
Division KIS
Hochschule Niederrhein
University of Applied Sciences
Reinarzstraße 49, 47805 Krefeld, Building D, Room DE10
Tel.: +49 (0)2151 822-3123
Fax: +49 (0)2151 822-853123
E-Mail: michael.becker@hs-niederrhein.de<mailto:michael.becker@hs-niederrhein.de>
www.hs-niederrhein.de<http://www.hs-niederrhein.de/>
[Created via e-mail received from: Michael.Becker@hs-niederrhein.de]
radsecproxy (1.6.5) is dropping requests after upgrading to Ubuntu 16.04 LTS, when syncookies are disabled (ex: ufw is in use).
In kern.log we had:
Jan 17 ************ kernel: [28216.815253] TCP: request_sock_TCP: Possible SYN flooding on port 2083. Dropping request. Check SNMP counters.
The behavior is the same with 1.6.8.
Since a kernel change ( see http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=ef547f2ac16bd9d77a780a0e7c70857e69e8f23f)
calling the listen syscall with a backlog value of 0 (tls.c:356, tls.c:470) will drop requests, when syncookies are disabled.
Enabling syncookies is a workaround, which will prevent dropping packets when the backlog value is reached.
Changing the backlog parameter to 16 for example, fixes the issue.
/radsecproxy-1.6.8# grep -n "listen(" -r *
tcp.c:356: listen(*sp, 16);
tls.c:470: listen(*sp, 16);
Other applications are/were affected as well. Some forum threads suggest to set the backlog value to 1.
Best regards,
Michael Becker
__________________________________
Michael Becker
Head of IT Operations
Division KIS
Hochschule Niederrhein
University of Applied Sciences
Reinarzstraße 49, 47805 Krefeld, Building D, Room DE10
Tel.: +49 (0)2151 822-3123
Fax: +49 (0)2151 822-853123
E-Mail: michael.becker@hs-niederrhein.de<mailto:michael.becker@hs-niederrhein.de>
www.hs-niederrhein.de<http://www.hs-niederrhein.de/>
[Created via e-mail received from: Michael.Becker@hs-niederrhein.de]