[Bug 289661] system gets unresponsive after syn flooding (libalias)

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289661] system gets unresponsive after syn flooding (libalias)"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289661] [patch] system gets unresponsive after syn flooding (libalias)"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289661] system gets unresponsive after syn flooding (libalias)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 17 Sep 2025 09:44:42 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289661

            Bug ID: 289661
           Summary: system gets unresponsive after syn flooding
                    (libalias)
           Product: Base System
           Version: 14.3-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: pmc@citylink.dinoex.sub.org

After one of my Internet-facing systems went unresponsive, I found that
libalias does apparently treat initial TCP-connects wrong: after only two steps
of the three-way-handshake have completed, it considers the flow as established
and keeps it in memory (for a day). Appaently the machine (single-core) had
become entirely busy scanning that list.

I am not up-to-date with the various "tcp fastopen" proposals, and inhowfar
these might change the three-way-handshake, so I simply changed libalias to
await all three steps. This could certainly still be flooded deliberately, but
at least it gets rid of those guys who send me a few million syn-packets over
the day out of mere boredom.

Version: the incident happened with 13.5, but I don't see any difference to
14.3 (and my systems are now upgraded).

Patch follows.

-- 
You are receiving this mail because:
You are the assignee for the bug.