James (quelrod) wrote in linux,

I ran across an interesting problem, which I have not seen crash or kernel panic an openbsd box but a freebsd box (this is cross posted in openbsd/freebsd/linux)
keep idle, the default based on the rfc is 7200 or 2hours, means that once a tcp connection is established if after 2hours not data has been sent it starts sending keepalive packets...up to 8 using the keepintvl or 75seconds meaning this is another 20min or so...so essentially a tcp connection is kept open2hours and 20min after it is esbliashed...the problem is you can create a DoS by creating connections until you exhaust the 65535 ports, against a freebsd 4.4 system, this is an attack that can be run across the net and not just on a local network. Even tested on a local network I was unable to flood an openbsd box to DoS. This isn't to say openbsd is invincible, i think a little more time and effort would result in the ability to DoS it as well.

net.inet.tcp.keepinittime = 150
net.inet.tcp.keepidle = 7200
net.inet.tcp.keepintvl = 75

in linux you may find these same values in /proc/sys/net/ipv4/tcp
tcp_keepalive_intvl and tcp_keepalive_time

I have not tried this against a linux system but would assume that it would result in the same problem.

also, i have seen some systems that make the time out 120seconds, 2min, instead of 20, this would substantially help out the system, as the freebsd system took about 15min to deplete the avalible ports and finally crash. I am not aware of the consequences of lowering this number to a level such as 2min. Also, all of this was observed on systems non firewalled, a freebsd system over the net, and an openbsd over an internal network (which did not crash.) Firewalling would help decrease this problem as well.

anyone with more information, or can verify this to be a problem on any other systems, or with thoughts towards the proper settings of the keepalive flags please let me know
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded