Project

General

Profile

Actions

Bug #5856

closed

stream: SYN/ACK timestamp checking blocks valid traffic

Added by Victor Julien almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In a controlled test, the following has been observed:

1.      SYN             TS A    SEQ X   Accepted by Suricata, TS initialized to A
2. +1s  SYN resend      TS B    SEQ X   Accepted by Suricata, updated TS to B
3. +0s  SYN/ACK         TS A    ACK X   Dropped by Suricata because TS A != TS B
4. +1s  SYN/ACK resend  TS A    ACK X   Dropped by Suricata because TS A != TS B
5. +1s  SYN resend      TS C    SEQ X   Accepted by Suricata, updated TS to C
6. +0s  SYN/ACK resend  TS A    ACK X   Dropped by Suricata because TS A != TS C

... repeats this pattern for a few packets ...

Flow is considered timed out and evicted.

13. +9s SYN/ACK midstream pick up
... tls session treated normally 

In short, after receiving additional SYN packets after the first, Suricata wants the SYN/ACK to match the last SYN, not the first. However it appears that the server insists on responding to the first SYN. Note that the SYNs identical except for the timestamp option.

Because Suricata blocks the SYN/ACK packets it considers invalid, the connection stays in the NEW state, which means that the flow is evicted much more aggressively than an established flow.

Only once the flow is timeout out and a new flow is created midstream does Suricata allow it to pass fully.

If midstream is not enabled the behavior will depend on the stream.midstream-policy setting.


Subtasks 1 (0 open1 closed)

Bug #5889: stream: SYN/ACK timestamp checking blocks valid traffic (6.0.x backport)ClosedVictor JulienActions

Related issues 1 (1 open0 closed)

Related to Suricata - Documentation #6369: stream: document stream.3whs_syn_flood and stream.3whs_synack_floodNewOISF DevActions
Actions #1

Updated by OISF Ticketbot almost 2 years ago

  • Subtask #5889 added
Actions #2

Updated by OISF Ticketbot almost 2 years ago

  • Label deleted (Needs backport to 6.0)
Actions #3

Updated by Victor Julien over 1 year ago

  • Status changed from In Progress to Closed
Actions #4

Updated by Victor Julien over 1 year ago

  • Private changed from Yes to No
Actions #5

Updated by Victor Julien over 1 year ago

  • Related to Documentation #6369: stream: document stream.3whs_syn_flood and stream.3whs_synack_flood added
Actions

Also available in: Atom PDF