-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Too small scrape request packets may trip SYN flood detection of some trackers #964
Comments
Hi, I wonder how do you know how much the tracker SYN requires? I recently have the same problem with scrape errors too. |
I figured it out by simple trial and error using TCPWIN iptables extension:
Other users of said tracker also confirmed that increasing TCP window scaling works:
I'm not sure how does this affect networking performance of the box you do this on though, since this is a system-wide setting. |
Just experienced a tracker (or more likely their new firewall) where 4096 was still not enough. Removed the whole setsocketopt function body and it started working again.
|
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Got rid of transmission-cli. -cli is deprecated and replaced by -remote. Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Got rid of transmission-cli. -cli is deprecated and replaced by -remote. Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
sysctl works. Problem should still be fixed here though. |
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Got rid of transmission-cli. -cli is deprecated and replaced by -remote. Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Got rid of transmission-cli. -cli is deprecated and replaced by -remote. Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Got rid of transmission-cli. -cli is deprecated and replaced by -remote. Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Got rid of transmission-cli. -cli is deprecated and replaced by -remote. Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Got rid of transmission-cli. -cli is deprecated and replaced by -remote. Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Got rid of transmission-cli. -cli is deprecated and replaced by -remote. Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Is there any progress on this? Sysctl is only a temporary fix that must be reapplied, and it's easy to forget this - including what parameter must be set. |
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry-picked from 730a169)
Some firewalls mandate a minimum size of 4k for SYN packets, which transmission does not do by default. Upstream issue here: transmission/transmission#964 Cleanup: Fixed license info. Removed two unnecessary patches. Ran shell script through shellcheck. Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry-picked from 730a169)
@Nadahar I agree that it should be changed here, but you don't need to re-apply it every reboot. You can put it in |
Bakabt won't work anymore due to "SYN packets with size smaller than 4096 are being dropped." May you fix this in the next update? Rather not use Vuze. Thanks! The following is a message on their forum: I've done this using a Windows installation of Transmission 2.94. Even though it got a response eventually I still got a scrape error. Not yet sure what caused it to send a larger window. uT 2.2.1 uses window size of 64240, guess that's why it works alright. I've also learned that something named TCP Small Window Attack Protection exists. You might want to ask your service provider whether they've got something like that installed and if so, is it possible to disable it for your server. UPDATE: Managed to make Transmission on my seedbox work using TCPWIN iptables extension. Code: [Select] This basically forces size of all SYN packets sent to the tracker to have size of 4096 bytes. No doubts about that being a filtering issue now, Transmission's requests are fine. Of course this isn't a fix suggestion, I think most people would rather find another client that works than go that far to stick with what they have. If there's anyone who wants to try this, I can walk you through (at least on Debian). |
Change <...>announce.php to <...>announce.php?scrape on BakaBT 3.00 still needs to be whitelisted by the tracker... fyi if you are using it. |
Thanks!
…________________________________
From: ChaosBlades <notifications@github.com>
Sent: Wednesday, May 13, 2020 7:22:39 AM
To: transmission/transmission <transmission@noreply.github.com>
Cc: zwei7 <brianfong26@hotmail.com>; Comment <comment@noreply.github.com>
Subject: Re: [transmission/transmission] Too small scrape request packets may trip SYN flood detection of some trackers (#964)
Bakabt won't work anymore due to "SYN packets with size smaller than 4096 are being dropped." May you fix this in the next update? Rather not use Vuze. Thanks!
The following is a message on their forum:
Re: No longer able to download or reseed torrent - Transmission 2.94 - (Known Issue)
« Reply #20<#20> on: August 03, 2019, 01:37:11 pm »
Quote
Window size was a good lead. I've done some more research and it would seem SYN packets with size smaller than 4096 are being dropped.
I've done this using a Windows installation of Transmission 2.94. Even though it got a response eventually I still got a scrape error. Not yet sure what caused it to send a larger window. uT 2.2.1 uses window size of 64240, guess that's why it works alright.
I've also learned that something named TCP Small Window Attack Protection exists. You might want to ask your service provider whether they've got something like that installed and if so, is it possible to disable it for your server.
UPDATE: Managed to make Transmission on my seedbox work using TCPWIN iptables extension.
Code: [Select]
iptables -t mangle -i OUTPUT -p tcp --tcp-flags SYN SYN -j TCPWIN --tcpwin-set 4096 -d 78.142.29.192
Edit: typo in the command
This basically forces size of all SYN packets sent to the tracker to have size of 4096 bytes. No doubts about that being a filtering issue now, Transmission's requests are fine.
Of course this isn't a fix suggestion, I think most people would rather find another client that works than go that far to stick with what they have. If there's anyone who wants to try this, I can walk you through (at least on Debian).
« Last Edit: August 03, 2019, 07:05:17 pm by Piteras00 »
Change <...>announce.php to <...>announce.php?scrape on BakaBT
3.00 still needs to be whitelisted by the tracker... fyi if you are using it.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#964 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADUNNIWQUSUC4L25NUFG5V3RRJ7H7ANCNFSM4IJDNHNQ>.
|
There is a lot of discussion here, so just to make sure I haven't missed some context: all that's needed here is, when we reduce the sndbuf / rcvbuf size e.g. for scrapes and announces, to use 4096 as the floor, correct? |
Yes. An alternate fix is with sysctl:
|
transmission/libtransmission/web.c
Lines 143 to 144 in 5a5fe7d
I have recently stumbled upon a tracker that was moved to another server, after which Transmission users couldn't connect to (resulting in announce and scrape errors), while all other torrent clients worked alright. Turned out the tracker is not responding to any SYN packets smaller than 4096 bytes, forcing the window size to 4096 made it work again - hence the SYN flood detection guess.
As this kind of protection is becoming widespread, so may become this problem. Is there any reason for these packets to be so small, and if so, maybe it would be a good idea to make that configurable?
The text was updated successfully, but these errors were encountered: