SYN-SENT userland timeout #15
Comments
|
I added a default timeout of 1 second before uncompleted handshakes are reaped, it's configured with |
I'm not reading the source (sorry) but I want to make sure that it is imperative that WT-EXIT on a Instead it should be up to the origin-host (nmap) to re-try the connection by re-transmitting the SYN. The origin-host wont do this if WT-EXIT (wrongfully) sent a FIN/RST. Tthe real target never send a FIN/RST and thus WT-EXIT shall not send a FIN/RST to the origin-host (nmap) either. thanks for double checking and sorry for being pedantic :> |
|
No worries 😄 That is correct, |
I'm using https://thc.org/segfault/wireguard with the wiretap v0.3.0 (--simple branch) with WIRETAP_SIMPLE=true ./wiretap_linux_amd64 serve --ipv4-relay 192.168.0.1 --ipv6-relay fd::1 --allowed 192.168.0.1/28,fd::1/125
The Exit Node is a Linux x86_64 running wiretap.
The origin host runs network scans using nmap or masscan.
The userland wiretap process tcp connect keeps the connection for a very long time in state SYN-SENT.
This can cause port exhaustion on the exit node (wiretap) when scanning a non-existing host on the Internet:
and even worse if masscan is used:
It would be desirable for wiretap to close the connection between wiretap and the target (and not forward a RST/FIN to upstream) after 10 seconds. The assumption is that if the target hasn't responded with a SYN-ACK within 10 seconds then the wiretap can 'drop' the connection.
The origin-server may still re-transmit the SYN again and again (in case it's not a masscan/nmap-scan) but in that case and with the original 'forwarding connection' having been closed already, wiretap would detect the re-transmitted SYN as a first SYN from Origin-server and just call Connect() to the target again.....
The text was updated successfully, but these errors were encountered: