[RFC PATCH] tcp: Replace possible syn attack msg by counters

[RFC PATCH] tcp: Replace possible syn attack msg by counters

[Tom Herbert]

Rather than printing the message to the log, use a mib counter to keep
track of the count of occurences of syn cookies being used or syn
being dropped when request queue is full.

Rationale is these messages can fill up /var/log/messages on server
which is simply under heavy load... I'm not sure how much more useful
they would be in identifying a server DOS attack (compared to
counters).

Signed-off-by: Tom Herbert <therbert@google.com>
---
 include/linux/snmp.h |    2 ++
 net/ipv4/proc.c      |    2 ++
 net/ipv4/tcp_ipv4.c  |   30 +++++++++---------------------
 net/ipv6/tcp_ipv6.c  |   29 +++++++++--------------------
 4 files changed, 22 insertions(+), 41 deletions(-)

diff --git a/include/linux/snmp.h b/include/linux/snmp.h
index 12b2b18..e16557a 100644
--- a/include/linux/snmp.h
+++ b/include/linux/snmp.h
@@ -231,6 +231,8 @@ enum
 	LINUX_MIB_TCPDEFERACCEPTDROP,
 	LINUX_MIB_IPRPFILTER, /* IP Reverse Path Filter (rp_filter) */
 	LINUX_MIB_TCPTIMEWAITOVERFLOW,		/* TCPTimeWaitOverflow */
+	LINUX_MIB_TCPREQQFULLDOCOOKIES,		/* TCPReqQFullDoCookies */
+	LINUX_MIB_TCPREQQFULLDROP,		/* TCPReqQFullDrop */
 	__LINUX_MIB_MAX
 };
 
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index b14ec7d..4bfad5d 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -254,6 +254,8 @@ static const struct snmp_mib snmp4_net_list[] = {
 	SNMP_MIB_ITEM("TCPDeferAcceptDrop", LINUX_MIB_TCPDEFERACCEPTDROP),
 	SNMP_MIB_ITEM("IPReversePathFilter", LINUX_MIB_IPRPFILTER),
 	SNMP_MIB_ITEM("TCPTimeWaitOverflow", LINUX_MIB_TCPTIMEWAITOVERFLOW),
+	SNMP_MIB_ITEM("TCPReqQFullDoCookies", LINUX_MIB_TCPREQQFULLDOCOOKIES),
+	SNMP_MIB_ITEM("TCPReqQFullDrop", LINUX_MIB_TCPREQQFULLDROP),
 	SNMP_MIB_SENTINEL
 };
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 955b8e6..f36ab28 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -807,21 +807,6 @@ static void tcp_v4_reqsk_destructor(struct request_sock *req)
 	kfree(inet_rsk(req)->opt);
 }
 
-static void syn_flood_warning(const struct sk_buff *skb)
-{
-	const char *msg;
-
-#ifdef CONFIG_SYN_COOKIES
-	if (sysctl_tcp_syncookies)
-		msg = "Sending cookies";
-	else
-#endif
-		msg = "Dropping request";
-
-	pr_info("TCP: Possible SYN flooding on port %d. %s.\n",
-				ntohs(tcp_hdr(skb)->dest), msg);
-}
-
 /*
  * Save and compile IPv4 options into the request_sock if needed.
  */
@@ -1249,14 +1234,17 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 	 * evidently real one.
 	 */
 	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
-		if (net_ratelimit())
-			syn_flood_warning(skb);
 #ifdef CONFIG_SYN_COOKIES
-		if (sysctl_tcp_syncookies) {
-			want_cookie = 1;
-		} else
+		want_cookie = sysctl_tcp_syncookies;
 #endif
-		goto drop;
+		if (want_cookie)
+			NET_INC_STATS_BH(sock_net(sk),
+			      LINUX_MIB_TCPREQQFULLDOCOOKIES);
+		else {
+			NET_INC_STATS_BH(sock_net(sk),
+			    LINUX_MIB_TCPREQQFULLDROP);
+			goto drop;
+		}
 	}
 
 	/* Accept backlog is full. If we have already queued enough
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 78aa534..810ae64 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -530,20 +530,6 @@ static int tcp_v6_rtx_synack(struct sock *sk, struct request_sock *req,
 	return tcp_v6_send_synack(sk, req, rvp);
 }
 
-static inline void syn_flood_warning(struct sk_buff *skb)
-{
-#ifdef CONFIG_SYN_COOKIES
-	if (sysctl_tcp_syncookies)
-		printk(KERN_INFO
-		       "TCPv6: Possible SYN flooding on port %d. "
-		       "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest));
-	else
-#endif
-		printk(KERN_INFO
-		       "TCPv6: Possible SYN flooding on port %d. "
-		       "Dropping request.\n", ntohs(tcp_hdr(skb)->dest));
-}
-
 static void tcp_v6_reqsk_destructor(struct request_sock *req)
 {
 	kfree_skb(inet6_rsk(req)->pktopts);
@@ -1191,14 +1177,17 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 		goto drop;
 
 	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
-		if (net_ratelimit())
-			syn_flood_warning(skb);
 #ifdef CONFIG_SYN_COOKIES
-		if (sysctl_tcp_syncookies)
-			want_cookie = 1;
-		else
+		want_cookie = sysctl_tcp_syncookies;
 #endif
-		goto drop;
+		if (want_cookie)
+			NET_INC_STATS_BH(sock_net(sk),
+			      LINUX_MIB_TCPREQQFULLDOCOOKIES);
+		else {
+			NET_INC_STATS_BH(sock_net(sk),
+			    LINUX_MIB_TCPREQQFULLDROP);
+			goto drop;
+		}
 	}
 
 	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
-- 
1.7.3.1

Re: [RFC PATCH] tcp: Replace possible syn attack msg by counters

[David Miller]

From: Tom Herbert <therbert@google.com>
Date: Wed, 10 Aug 2011 22:38:02 -0700 (PDT)

> Rather than printing the message to the log, use a mib counter to keep
> track of the count of occurences of syn cookies being used or syn
> being dropped when request queue is full.
> 
> Rationale is these messages can fill up /var/log/messages on server
> which is simply under heavy load... I'm not sure how much more useful
> they would be in identifying a server DOS attack (compared to
> counters).
> 
> Signed-off-by: Tom Herbert <therbert@google.com>

Print the message once, and also do the counters.

Say something like "Possible SYN flooding, see SNMP counters." or
similar.

Because if people are grepping for that message in their logs, they
will now have a false sense of confidence seeing it not being there
any more.

Re: [RFC PATCH] tcp: Replace possible syn attack msg by counters

[Eric Dumazet]

Le mercredi 10 août 2011 à 23:13 -0700, David Miller a écrit :
> From: Tom Herbert <therbert@google.com>
> Date: Wed, 10 Aug 2011 22:38:02 -0700 (PDT)
> 
> > Rather than printing the message to the log, use a mib counter to keep
> > track of the count of occurences of syn cookies being used or syn
> > being dropped when request queue is full.
> > 
> > Rationale is these messages can fill up /var/log/messages on server
> > which is simply under heavy load... I'm not sure how much more useful
> > they would be in identifying a server DOS attack (compared to
> > counters).
> > 
> > Signed-off-by: Tom Herbert <therbert@google.com>
> 
> Print the message once, and also do the counters.
> 
> Say something like "Possible SYN flooding, see SNMP counters." or
> similar.
> 
> Because if people are grepping for that message in their logs, they
> will now have a false sense of confidence seeing it not being there
> any more.

An alternative would be to guard the message by net_msg_warn
(/proc/sys/net/core/warnings)

LIMIT_NETDEBUG(KERN_INFO "TCP: Possible SYN flooding on port %d. %s.\n" 
	...)

[PATCH] tcp: Use LIMIT_NETDEBUG in syn_flood_warning()

[Eric Dumazet]

Le jeudi 11 août 2011 à 08:33 +0200, Eric Dumazet a écrit :
> Le mercredi 10 août 2011 à 23:13 -0700, David Miller a écrit :
> > From: Tom Herbert <therbert@google.com>
> > Date: Wed, 10 Aug 2011 22:38:02 -0700 (PDT)
> > 
> > > Rather than printing the message to the log, use a mib counter to keep
> > > track of the count of occurences of syn cookies being used or syn
> > > being dropped when request queue is full.
> > > 
> > > Rationale is these messages can fill up /var/log/messages on server
> > > which is simply under heavy load... I'm not sure how much more useful
> > > they would be in identifying a server DOS attack (compared to
> > > counters).
> > > 
> > > Signed-off-by: Tom Herbert <therbert@google.com>
> > 
> > Print the message once, and also do the counters.
> > 
> > Say something like "Possible SYN flooding, see SNMP counters." or
> > similar.
> > 
> > Because if people are grepping for that message in their logs, they
> > will now have a false sense of confidence seeing it not being there
> > any more.
> 
> An alternative would be to guard the message by net_msg_warn
> (/proc/sys/net/core/warnings)
> 
> LIMIT_NETDEBUG(KERN_INFO "TCP: Possible SYN flooding on port %d. %s.\n" 
> 	...)

Here is a patch implementing this.

We could add mib counters later in a second patch, inside
tcp_syn_flood_warning()

Thanks

[PATCH] tcp: Use LIMIT_NETDEBUG in syn_flood_warning()

LIMIT_NETDEBUG allows the admin to disable some warning messages :
echo 0 > /proc/sys/net/core/warnings

Use it to avoid filling syslog on busy servers.

Based on a previous patch from Tom Herbert

Factorize syn_flood_warning() IPv4/IPv6 implementations

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Tom Herbert <therbert@google.com>
---
 include/net/tcp.h   |    1 +
 net/ipv4/tcp_ipv4.c |   14 ++++++--------
 net/ipv6/tcp_ipv6.c |   17 +----------------
 3 files changed, 8 insertions(+), 24 deletions(-)

diff --git a/include/net/tcp.h b/include/net/tcp.h
index 149a415..964341c 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -460,6 +460,7 @@ extern int tcp_write_wakeup(struct sock *);
 extern void tcp_send_fin(struct sock *sk);
 extern void tcp_send_active_reset(struct sock *sk, gfp_t priority);
 extern int tcp_send_synack(struct sock *);
+extern void tcp_syn_flood_warning(const struct sk_buff *skb, const char *proto);
 extern void tcp_push_one(struct sock *, unsigned int mss_now);
 extern void tcp_send_ack(struct sock *sk);
 extern void tcp_send_delayed_ack(struct sock *sk);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 1c12b8e..9e622da 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -808,20 +808,19 @@ static void tcp_v4_reqsk_destructor(struct request_sock *req)
 	kfree(inet_rsk(req)->opt);
 }
 
-static void syn_flood_warning(const struct sk_buff *skb)
+void tcp_syn_flood_warning(const struct sk_buff *skb, const char *proto)
 {
-	const char *msg;
+	const char *msg = "Dropping request";
 
 #ifdef CONFIG_SYN_COOKIES
 	if (sysctl_tcp_syncookies)
 		msg = "Sending cookies";
-	else
 #endif
-		msg = "Dropping request";
 
-	pr_info("TCP: Possible SYN flooding on port %d. %s.\n",
-				ntohs(tcp_hdr(skb)->dest), msg);
+	LIMIT_NETDEBUG(KERN_INFO "%s: Possible SYN flooding on port %d. %s.\n",
+		       proto, ntohs(tcp_hdr(skb)->dest), msg);
 }
+EXPORT_SYMBOL(tcp_syn_flood_warning);
 
 /*
  * Save and compile IPv4 options into the request_sock if needed.
@@ -1250,8 +1249,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 	 * evidently real one.
 	 */
 	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
-		if (net_ratelimit())
-			syn_flood_warning(skb);
+		tcp_syn_flood_warning(skb, "TCP");
 #ifdef CONFIG_SYN_COOKIES
 		if (sysctl_tcp_syncookies) {
 			want_cookie = 1;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index d1fb63f..a043386 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -531,20 +531,6 @@ static int tcp_v6_rtx_synack(struct sock *sk, struct request_sock *req,
 	return tcp_v6_send_synack(sk, req, rvp);
 }
 
-static inline void syn_flood_warning(struct sk_buff *skb)
-{
-#ifdef CONFIG_SYN_COOKIES
-	if (sysctl_tcp_syncookies)
-		printk(KERN_INFO
-		       "TCPv6: Possible SYN flooding on port %d. "
-		       "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest));
-	else
-#endif
-		printk(KERN_INFO
-		       "TCPv6: Possible SYN flooding on port %d. "
-		       "Dropping request.\n", ntohs(tcp_hdr(skb)->dest));
-}
-
 static void tcp_v6_reqsk_destructor(struct request_sock *req)
 {
 	kfree_skb(inet6_rsk(req)->pktopts);
@@ -1192,8 +1178,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 		goto drop;
 
 	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
-		if (net_ratelimit())
-			syn_flood_warning(skb);
+		tcp_syn_flood_warning(skb, "TCPv6");
 #ifdef CONFIG_SYN_COOKIES
 		if (sysctl_tcp_syncookies)
 			want_cookie = 1;

Re: [PATCH] tcp: Use LIMIT_NETDEBUG in syn_flood_warning()

[Tom Herbert]

> [PATCH] tcp: Use LIMIT_NETDEBUG in syn_flood_warning()
>
> LIMIT_NETDEBUG allows the admin to disable some warning messages :
> echo 0 > /proc/sys/net/core/warnings
>
> Use it to avoid filling syslog on busy servers.
>
> Based on a previous patch from Tom Herbert
>
> Factorize syn_flood_warning() IPv4/IPv6 implementations
>

Acked-by: Tom Herbert <therbert@google.coml>

> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> CC: Tom Herbert <therbert@google.com>
> ---
>  include/net/tcp.h   |    1 +
>  net/ipv4/tcp_ipv4.c |   14 ++++++--------
>  net/ipv6/tcp_ipv6.c |   17 +----------------
>  3 files changed, 8 insertions(+), 24 deletions(-)
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index 149a415..964341c 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -460,6 +460,7 @@ extern int tcp_write_wakeup(struct sock *);
>  extern void tcp_send_fin(struct sock *sk);
>  extern void tcp_send_active_reset(struct sock *sk, gfp_t priority);
>  extern int tcp_send_synack(struct sock *);
> +extern void tcp_syn_flood_warning(const struct sk_buff *skb, const char *proto);
>  extern void tcp_push_one(struct sock *, unsigned int mss_now);
>  extern void tcp_send_ack(struct sock *sk);
>  extern void tcp_send_delayed_ack(struct sock *sk);
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 1c12b8e..9e622da 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -808,20 +808,19 @@ static void tcp_v4_reqsk_destructor(struct request_sock *req)
>        kfree(inet_rsk(req)->opt);
>  }
>
> -static void syn_flood_warning(const struct sk_buff *skb)
> +void tcp_syn_flood_warning(const struct sk_buff *skb, const char *proto)
>  {
> -       const char *msg;
> +       const char *msg = "Dropping request";
>
>  #ifdef CONFIG_SYN_COOKIES
>        if (sysctl_tcp_syncookies)
>                msg = "Sending cookies";
> -       else
>  #endif
> -               msg = "Dropping request";
>
> -       pr_info("TCP: Possible SYN flooding on port %d. %s.\n",
> -                               ntohs(tcp_hdr(skb)->dest), msg);
> +       LIMIT_NETDEBUG(KERN_INFO "%s: Possible SYN flooding on port %d. %s.\n",
> +                      proto, ntohs(tcp_hdr(skb)->dest), msg);
>  }
> +EXPORT_SYMBOL(tcp_syn_flood_warning);
>
>  /*
>  * Save and compile IPv4 options into the request_sock if needed.
> @@ -1250,8 +1249,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
>         * evidently real one.
>         */
>        if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
> -               if (net_ratelimit())
> -                       syn_flood_warning(skb);
> +               tcp_syn_flood_warning(skb, "TCP");
>  #ifdef CONFIG_SYN_COOKIES
>                if (sysctl_tcp_syncookies) {
>                        want_cookie = 1;
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index d1fb63f..a043386 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -531,20 +531,6 @@ static int tcp_v6_rtx_synack(struct sock *sk, struct request_sock *req,
>        return tcp_v6_send_synack(sk, req, rvp);
>  }
>
> -static inline void syn_flood_warning(struct sk_buff *skb)
> -{
> -#ifdef CONFIG_SYN_COOKIES
> -       if (sysctl_tcp_syncookies)
> -               printk(KERN_INFO
> -                      "TCPv6: Possible SYN flooding on port %d. "
> -                      "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest));
> -       else
> -#endif
> -               printk(KERN_INFO
> -                      "TCPv6: Possible SYN flooding on port %d. "
> -                      "Dropping request.\n", ntohs(tcp_hdr(skb)->dest));
> -}
> -
>  static void tcp_v6_reqsk_destructor(struct request_sock *req)
>  {
>        kfree_skb(inet6_rsk(req)->pktopts);
> @@ -1192,8 +1178,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
>                goto drop;
>
>        if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
> -               if (net_ratelimit())
> -                       syn_flood_warning(skb);
> +               tcp_syn_flood_warning(skb, "TCPv6");
>  #ifdef CONFIG_SYN_COOKIES
>                if (sysctl_tcp_syncookies)
>                        want_cookie = 1;
>
>
>

Re: [PATCH] tcp: Use LIMIT_NETDEBUG in syn_flood_warning()

[David Miller]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Fri, 12 Aug 2011 08:08:30 +0200

> [PATCH] tcp: Use LIMIT_NETDEBUG in syn_flood_warning()
> 
> LIMIT_NETDEBUG allows the admin to disable some warning messages :
> echo 0 > /proc/sys/net/core/warnings
> 
> Use it to avoid filling syslog on busy servers.
> 
> Based on a previous patch from Tom Herbert
> 
> Factorize syn_flood_warning() IPv4/IPv6 implementations
> 
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> CC: Tom Herbert <therbert@google.com>

This is a big hammer with no granularity.

I have to give up other potentially interesting log messages (open
request drops, IP frag out-of-memory, etc.) just to get this one to go
away.

I still stand by my original suggestion, print unconditionally and
only once, and also add the statistics counters.

[PATCH v2] tcp: Change possible SYN flooding messages

[Eric Dumazet]

"Possible SYN flooding on port xxxx " messages can fill logs on servers.

Change logic to log the message only once per listener, and add two new
SNMP counters to track :

TCPReqQFullDoCookies : number of times a SYNCOOKIE was replied to client

TCPReqQFullDrop : number of times a SYN request was dropped because
syncookies were not enabled.

Based on a prior patch from Tom Herbert, and suggestions from David.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Tom Herbert <therbert@google.com>
---
 include/linux/snmp.h       |    2 +
 include/net/request_sock.h |    3 +-
 include/net/tcp.h          |    3 ++
 net/ipv4/proc.c            |    2 +
 net/ipv4/tcp_ipv4.c        |   49 ++++++++++++++++++++---------------
 net/ipv6/tcp_ipv6.c        |   31 ++--------------------
 6 files changed, 40 insertions(+), 50 deletions(-)

diff --git a/include/linux/snmp.h b/include/linux/snmp.h
index 12b2b18..e16557a 100644
--- a/include/linux/snmp.h
+++ b/include/linux/snmp.h
@@ -231,6 +231,8 @@ enum
 	LINUX_MIB_TCPDEFERACCEPTDROP,
 	LINUX_MIB_IPRPFILTER, /* IP Reverse Path Filter (rp_filter) */
 	LINUX_MIB_TCPTIMEWAITOVERFLOW,		/* TCPTimeWaitOverflow */
+	LINUX_MIB_TCPREQQFULLDOCOOKIES,		/* TCPReqQFullDoCookies */
+	LINUX_MIB_TCPREQQFULLDROP,		/* TCPReqQFullDrop */
 	__LINUX_MIB_MAX
 };
 
diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index 99e6e19..4c0766e 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -96,7 +96,8 @@ extern int sysctl_max_syn_backlog;
  */
 struct listen_sock {
 	u8			max_qlen_log;
-	/* 3 bytes hole, try to use */
+	u8			synflood_warned;
+	/* 2 bytes hole, try to use */
 	int			qlen;
 	int			qlen_young;
 	int			clock_hand;
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 149a415..e9b48b0 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -460,6 +460,9 @@ extern int tcp_write_wakeup(struct sock *);
 extern void tcp_send_fin(struct sock *sk);
 extern void tcp_send_active_reset(struct sock *sk, gfp_t priority);
 extern int tcp_send_synack(struct sock *);
+extern int tcp_syn_flood_action(struct sock *sk,
+				const struct sk_buff *skb,
+				const char *proto);
 extern void tcp_push_one(struct sock *, unsigned int mss_now);
 extern void tcp_send_ack(struct sock *sk);
 extern void tcp_send_delayed_ack(struct sock *sk);
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index b14ec7d..4bfad5d 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -254,6 +254,8 @@ static const struct snmp_mib snmp4_net_list[] = {
 	SNMP_MIB_ITEM("TCPDeferAcceptDrop", LINUX_MIB_TCPDEFERACCEPTDROP),
 	SNMP_MIB_ITEM("IPReversePathFilter", LINUX_MIB_IPRPFILTER),
 	SNMP_MIB_ITEM("TCPTimeWaitOverflow", LINUX_MIB_TCPTIMEWAITOVERFLOW),
+	SNMP_MIB_ITEM("TCPReqQFullDoCookies", LINUX_MIB_TCPREQQFULLDOCOOKIES),
+	SNMP_MIB_ITEM("TCPReqQFullDrop", LINUX_MIB_TCPREQQFULLDROP),
 	SNMP_MIB_SENTINEL
 };
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index b3f2611..c29912c 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -808,20 +808,38 @@ static void tcp_v4_reqsk_destructor(struct request_sock *req)
 	kfree(inet_rsk(req)->opt);
 }
 
-static void syn_flood_warning(const struct sk_buff *skb)
+/*
+ * Return 1 if a syncookie should be sent
+ */
+int tcp_syn_flood_action(struct sock *sk,
+			 const struct sk_buff *skb,
+			 const char *proto)
 {
-	const char *msg;
+	const char *msg = "Dropping request";
+	int want_cookie = 0;
+	struct listen_sock *lopt;
+
+
 
 #ifdef CONFIG_SYN_COOKIES
-	if (sysctl_tcp_syncookies)
+	if (sysctl_tcp_syncookies) {
 		msg = "Sending cookies";
-	else
+		want_cookie = 1;
+		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDOCOOKIES);
+	} else
 #endif
-		msg = "Dropping request";
+		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);
 
-	pr_info("TCP: Possible SYN flooding on port %d. %s.\n",
-				ntohs(tcp_hdr(skb)->dest), msg);
+	lopt = inet_csk(sk)->icsk_accept_queue.listen_opt;
+	if (!lopt->synflood_warned) {
+		lopt->synflood_warned = 1;
+		pr_info("%s: Possible SYN flooding on port %d. %s. "
+			" Check SNMP counters.\n",
+			proto, ntohs(tcp_hdr(skb)->dest), msg);
+	}
+	return want_cookie;
 }
+EXPORT_SYMBOL(tcp_syn_flood_action);
 
 /*
  * Save and compile IPv4 options into the request_sock if needed.
@@ -1235,11 +1253,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 	__be32 saddr = ip_hdr(skb)->saddr;
 	__be32 daddr = ip_hdr(skb)->daddr;
 	__u32 isn = TCP_SKB_CB(skb)->when;
-#ifdef CONFIG_SYN_COOKIES
 	int want_cookie = 0;
-#else
-#define want_cookie 0 /* Argh, why doesn't gcc optimize this :( */
-#endif
 
 	/* Never answer to SYNs send to broadcast or multicast */
 	if (skb_rtable(skb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
@@ -1250,14 +1264,9 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 	 * evidently real one.
 	 */
 	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
-		if (net_ratelimit())
-			syn_flood_warning(skb);
-#ifdef CONFIG_SYN_COOKIES
-		if (sysctl_tcp_syncookies) {
-			want_cookie = 1;
-		} else
-#endif
-		goto drop;
+		want_cookie = tcp_syn_flood_action(sk, skb, "TCP");
+		if (!want_cookie)
+			goto drop;
 	}
 
 	/* Accept backlog is full. If we have already queued enough
@@ -1303,9 +1312,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 		while (l-- > 0)
 			*c++ ^= *hash_location++;
 
-#ifdef CONFIG_SYN_COOKIES
 		want_cookie = 0;	/* not our kind of cookie */
-#endif
 		tmp_ext.cookie_out_never = 0; /* false */
 		tmp_ext.cookie_plus = tmp_opt.cookie_plus;
 	} else if (!tp->rx_opt.cookie_in_always) {
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 44a5859..12bdb9a 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -531,20 +531,6 @@ static int tcp_v6_rtx_synack(struct sock *sk, struct request_sock *req,
 	return tcp_v6_send_synack(sk, req, rvp);
 }
 
-static inline void syn_flood_warning(struct sk_buff *skb)
-{
-#ifdef CONFIG_SYN_COOKIES
-	if (sysctl_tcp_syncookies)
-		printk(KERN_INFO
-		       "TCPv6: Possible SYN flooding on port %d. "
-		       "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest));
-	else
-#endif
-		printk(KERN_INFO
-		       "TCPv6: Possible SYN flooding on port %d. "
-		       "Dropping request.\n", ntohs(tcp_hdr(skb)->dest));
-}
-
 static void tcp_v6_reqsk_destructor(struct request_sock *req)
 {
 	kfree_skb(inet6_rsk(req)->pktopts);
@@ -1179,11 +1165,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 	struct tcp_sock *tp = tcp_sk(sk);
 	__u32 isn = TCP_SKB_CB(skb)->when;
 	struct dst_entry *dst = NULL;
-#ifdef CONFIG_SYN_COOKIES
 	int want_cookie = 0;
-#else
-#define want_cookie 0
-#endif
 
 	if (skb->protocol == htons(ETH_P_IP))
 		return tcp_v4_conn_request(sk, skb);
@@ -1192,14 +1174,9 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 		goto drop;
 
 	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
-		if (net_ratelimit())
-			syn_flood_warning(skb);
-#ifdef CONFIG_SYN_COOKIES
-		if (sysctl_tcp_syncookies)
-			want_cookie = 1;
-		else
-#endif
-		goto drop;
+		want_cookie = tcp_syn_flood_action(sk, skb, "TCPv6");
+		if (!want_cookie)
+			goto drop;
 	}
 
 	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
@@ -1249,9 +1226,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 		while (l-- > 0)
 			*c++ ^= *hash_location++;
 
-#ifdef CONFIG_SYN_COOKIES
 		want_cookie = 0;	/* not our kind of cookie */
-#endif
 		tmp_ext.cookie_out_never = 0; /* false */
 		tmp_ext.cookie_plus = tmp_opt.cookie_plus;
 	} else if (!tp->rx_opt.cookie_in_always) {

Re: [PATCH v2] tcp: Change possible SYN flooding messages

[David Miller]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 30 Aug 2011 15:21:44 +0200

> "Possible SYN flooding on port xxxx " messages can fill logs on servers.
> 
> Change logic to log the message only once per listener, and add two new
> SNMP counters to track :
> 
> TCPReqQFullDoCookies : number of times a SYNCOOKIE was replied to client
> 
> TCPReqQFullDrop : number of times a SYN request was dropped because
> syncookies were not enabled.
> 
> Based on a prior patch from Tom Herbert, and suggestions from David.
> 
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

Applied, thanks Eric.