(Configurable) hard limit on the number of open TCP connections#535
(Configurable) hard limit on the number of open TCP connections#535Firobe wants to merge 2 commits intomirage:mainfrom
Conversation
Limit the number of tracked connections (with a hardcoded number). After that limit, new SYN packets are dropped. Discovered and implemented by Edwin Török. Co-authored-by: Török Edwin <[email protected]>
|
Added a pair of commits to refresh the CI a bit :) |
I guess that'd be best as a separate PR to be merged quickly. So, you propose a "(Configurable) hard limit on the number of open TCP connections"? Your implementation seem to only care about the I wonder why, and wouldn't esp. for the |
Although SYN cookies are a widely deployed solution, it can lead to silent data loss. Having the option to turn SYN cookies on or off might still be useful though, especially if the application has other ways of detecting missing or corrupted data (e.g. through TLS, so SYN cookies could be turned on by default when TLS is in use without the fear of undetectable data loss). From the linked article:
I was not actually aware of this until I started seeing some problems with SYN cookies myself, where legitimate traffic was getting stuck. It can also lead to performance issues, although if you only turn them on when you detect that you are being flooded that may be acceptable.
SYN floods are one reason (and SYN cookies help there), but there is another attack which is not thwarted by SYN cookies. Just like how like SYN cookies avoid having to keep state server-side for connections, similar techniques can be used by an attacker client application, i.e. it is possible to write an almost entirely stateless TCP client capable of opening a nearly unbounded amount of connections by fully completing a 3-way handshake without actually keeping any per-connection state (I've written such a stateless client myself, after finding a C implementation of this from 2008). So it might be useful to limit both the amount of connections that are being established, and the amount of already established connections. |
Done in #536
This makes me realize that the naming introduced in mirage/mirage#1630 (comment) is unclear. I refer to open connections, while we're actually talking about "pending" connections I guess. If we end up limiting both |
In line with #534, this is Edwin's patch to put the hard limit to the number of TCP listens in progress, with some light modifications to make this configurable at
connecttime. It's intended as a last resort limit for this layer (but still before another limit in the lower layer: mirage/mirage-net-solo5#49)cc @edwintorok