Tcpv6 synflood protection using syncookie

[roop kumar]

Is there any drawback/limitation at syncookie implementation for ipv6 ?

Because, current I'm using Linux 4.19 & syncookie enabled as net.ipv4.tcp_syncookies=1

Used netwox tool for simulate TCP synflood for ipv4/ipv6.

Didn't observe any issue for ipv4.
But, observed cpu% for si hits spike for Tcpv6 syn flood .Also, ssh/ping is not working at that time for ipv4/ipv6 address.


If we disable syncookie, as expected only ssh is not working while tcpv6 synflood.

 

[Deleted member 108694]

Have a look here - https://lwn.net/Articles/277146/
and here - https://elixir.bootlin.com/linux/v4.19.237/source/net/ipv6/syncookies.c

 

[roop kumar]

Have a look here - https://lwn.net/Articles/277146/
and here - https://elixir.bootlin.com/linux/v4.19.237/source/net/ipv6/syncookies.c

Hi,
Thanks for reply.
According to these shared articles v4.19 also, SYN Cookie have support for IPv6.
But, didn't get information about verification/testing performed on IPv6 with SYN Cookie for TCPv6 SYN Flood protection.

As mentioned initial post, i have below observation which seems this SYN Cookie is not handling properly for IPv6.
Observed CPU% spike (top output) in one device, when we perform TCPv6 syn flood using netwox tool from other linux device. During that time period, ssh/ping also not working when we use ipv4/ipv6 address from other connected devices in network to that linux device.



Thanks

 

[Deleted member 108694]

SYN cookies place increased load on server resources. Encrypting responses is computationally expensive. The SYN cookie does not reduce traffic, which makes it ineffective against SYN flooding attacks that target bandwidth as the attack vector. Seems to me it would be better to use Snort or Suricata to stop SYN Flooding
Snort - https://snort.org/
Suricata - https://suricata.io/

 

[roop kumar]

SYN cookies place increased load on server resources. Encrypting responses is computationally expensive. The SYN cookie does not reduce traffic, which makes it ineffective against SYN flooding attacks that target bandwidth as the attack vector. Seems to me it would be better to use Snort or Suricata to stop SYN Flooding
Snort - https://snort.org/
Suricata - https://suricata.io/

Hi,
Thanks for suggestion. I Agree.
As mentioned earlier, i'm facing this problem while IPv6 TCP SYN flood attack but not facing while IPv4 TCP syn flood attack.


Actually, I have requirement as legitimate users should able to access our device while there is TCP SYN Flood attack.

I'm trying to explore on this. While surfing, observed SYN Cookie support exists for IPv4 & IPv6 in linux versions.
It'll be helpfull for me, if anyone shares valuable inputs/suggestions on observations made on handling IPv6 TCP SYN flood attack to protect for legitimate users when SYN Cookie is in enable.

Generally, SYN Cookie should help to allow legitimate users connection while there is any SYN Flood attack.

We verified scenarios with both IPV4/IPV6 TCP SYN Flood traffic using netwox simulation tool towards target which have SYN Cookie enabled.

1) Observed legitimate users able to access target properly when there is IPv4 TCP SYN Flood attack from random sources.
2) But, Observing target unreachablity issue from legitimate users & high CPU utilization on target when there is IPv6 TCP SYN Flood attack. Generally, ping6 shouldn't get fail from legitimate users.

We are using linux v4.19.81. While check docs, observed that syncookies code patch exist for this version as well.

Please let us know whether any drawback/limitation exist with SYN Cookie for IPv6.