Too small scrape request packets may trip SYN flood detection of some trackers

[Piteras00]

transmission/libtransmission/web.c

Lines 143 to 144 in 5a5fe7d

	int const sndbuf = isScrape ? 4096 : 1024;
	int const rcvbuf = isScrape ? 4096 : 3072;

I have recently stumbled upon a tracker that was moved to another server, after which Transmission users couldn't connect to (resulting in announce and scrape errors), while all other torrent clients worked alright. Turned out the tracker is not responding to any SYN packets smaller than 4096 bytes, forcing the window size to 4096 made it work again - hence the SYN flood detection guess.

As this kind of protection is becoming widespread, so may become this problem. Is there any reason for these packets to be so small, and if so, maybe it would be a good idea to make that configurable?

[itorres]

It seems this change was introduced by @ckerr on commit 6eec590

The patch to increase it a bit is on 0be5e8d

So the problem is probably that the minimum size should be 4096 both for scrapes and announcements.

[lilws]

transmission/libtransmission/web.c

Lines 143 to 144 in 5a5fe7d

	int const sndbuf = isScrape ? 4096 : 1024;
	int const rcvbuf = isScrape ? 4096 : 3072;

I have recently stumbled upon a tracker that was moved to another server, after which Transmission users couldn't connect to (resulting in announce and scrape errors), while all other torrent clients worked alright. Turned out the tracker is not responding to any SYN packets smaller than 4096 bytes, forcing the window size to 4096 made it work again - hence the SYN flood detection guess.

As this kind of protection is becoming widespread, so may become this problem. Is there any reason for these packets to be so small, and if so, maybe it would be a good idea to make that configurable?

Hi, I wonder how do you know how much the tracker SYN requires? I recently have the same problem with scrape errors too.

[Piteras00]

Hi, I wonder how do you know how much the tracker SYN requires? I recently have the same problem with scrape errors too.

I figured it out by simple trial and error using TCPWIN iptables extension:

iptables -t mangle -i OUTPUT -p tcp --tcp-flags SYN SYN -j TCPWIN --tcpwin-set 4096 -d [tracker IP]

Other users of said tracker also confirmed that increasing TCP window scaling works:

sysctl -w net.ipv4.tcp_adv_win_scale=4

I'm not sure how does this affect networking performance of the box you do this on though, since this is a system-wide setting.

[ttyridal]

Just experienced a tracker (or more likely their new firewall) where 4096 was still not enough. Removed the whole setsocketopt function body and it started working again.

[2019-08-16 23:09:24.228] SO_SNDBUF size is 16384 (fdlimit.c:541)
[2019-08-16 23:09:24.228] SO_RCVBUF size is 87380 (fdlimit.c:543)

[neheb]

sysctl works. Problem should still be fixed here though.

[Nadahar]

Is there any progress on this? Sysctl is only a temporary fix that must be reapplied, and it's easy to forget this - including what parameter must be set.

[qome]

@Nadahar I agree that it should be changed here, but you don't need to re-apply it every reboot. You can put it in /etc/sysctl.conf.

[zwei7]

Bakabt won't work anymore due to "SYN packets with size smaller than 4096 are being dropped." May you fix this in the next update? Rather not use Vuze. Thanks!

The following is a message on their forum:
Re: No longer able to download or reseed torrent - Transmission 2.94 - (Known Issue)
« Reply #20 on: August 03, 2019, 01:37:11 pm »
Quote
Window size was a good lead. I've done some more research and it would seem SYN packets with size smaller than 4096 are being dropped.

I've done this using a Windows installation of Transmission 2.94. Even though it got a response eventually I still got a scrape error. Not yet sure what caused it to send a larger window. uT 2.2.1 uses window size of 64240, guess that's why it works alright.

I've also learned that something named TCP Small Window Attack Protection exists. You might want to ask your service provider whether they've got something like that installed and if so, is it possible to disable it for your server.

UPDATE: Managed to make Transmission on my seedbox work using TCPWIN iptables extension.

Code: [Select]
iptables -t mangle -i OUTPUT -p tcp --tcp-flags SYN SYN -j TCPWIN --tcpwin-set 4096 -d 78.142.29.192
Edit: typo in the command

This basically forces size of all SYN packets sent to the tracker to have size of 4096 bytes. No doubts about that being a filtering issue now, Transmission's requests are fine.

Of course this isn't a fix suggestion, I think most people would rather find another client that works than go that far to stick with what they have. If there's anyone who wants to try this, I can walk you through (at least on Debian).
« Last Edit: August 03, 2019, 07:05:17 pm by Piteras00 »

[ChaosBlades]

Bakabt won't work anymore due to "SYN packets with size smaller than 4096 are being dropped." May you fix this in the next update? Rather not use Vuze. Thanks!

The following is a message on their forum:
Re: No longer able to download or reseed torrent - Transmission 2.94 - (Known Issue)
« Reply #20 on: August 03, 2019, 01:37:11 pm »
Quote
Window size was a good lead. I've done some more research and it would seem SYN packets with size smaller than 4096 are being dropped.

I've done this using a Windows installation of Transmission 2.94. Even though it got a response eventually I still got a scrape error. Not yet sure what caused it to send a larger window. uT 2.2.1 uses window size of 64240, guess that's why it works alright.

I've also learned that something named TCP Small Window Attack Protection exists. You might want to ask your service provider whether they've got something like that installed and if so, is it possible to disable it for your server.

UPDATE: Managed to make Transmission on my seedbox work using TCPWIN iptables extension.

Code: [Select]
iptables -t mangle -i OUTPUT -p tcp --tcp-flags SYN SYN -j TCPWIN --tcpwin-set 4096 -d 78.142.29.192
Edit: typo in the command

This basically forces size of all SYN packets sent to the tracker to have size of 4096 bytes. No doubts about that being a filtering issue now, Transmission's requests are fine.

Of course this isn't a fix suggestion, I think most people would rather find another client that works than go that far to stick with what they have. If there's anyone who wants to try this, I can walk you through (at least on Debian).
« Last Edit: August 03, 2019, 07:05:17 pm by Piteras00 »

Change <...>announce.php to <...>announce.php?scrape on BakaBT

3.00 still needs to be whitelisted by the tracker... fyi if you are using it.

[zwei7]

Thanks!

…

________________________________ From: ChaosBlades <notifications@github.com> Sent: Wednesday, May 13, 2020 7:22:39 AM To: transmission/transmission <transmission@noreply.github.com> Cc: zwei7 <brianfong26@hotmail.com>; Comment <comment@noreply.github.com> Subject: Re: [transmission/transmission] Too small scrape request packets may trip SYN flood detection of some trackers (#964) Bakabt won't work anymore due to "SYN packets with size smaller than 4096 are being dropped." May you fix this in the next update? Rather not use Vuze. Thanks! The following is a message on their forum: Re: No longer able to download or reseed torrent - Transmission 2.94 - (Known Issue) « Reply #20<#20> on: August 03, 2019, 01:37:11 pm » Quote Window size was a good lead. I've done some more research and it would seem SYN packets with size smaller than 4096 are being dropped. I've done this using a Windows installation of Transmission 2.94. Even though it got a response eventually I still got a scrape error. Not yet sure what caused it to send a larger window. uT 2.2.1 uses window size of 64240, guess that's why it works alright. I've also learned that something named TCP Small Window Attack Protection exists. You might want to ask your service provider whether they've got something like that installed and if so, is it possible to disable it for your server. UPDATE: Managed to make Transmission on my seedbox work using TCPWIN iptables extension. Code: [Select] iptables -t mangle -i OUTPUT -p tcp --tcp-flags SYN SYN -j TCPWIN --tcpwin-set 4096 -d 78.142.29.192 Edit: typo in the command This basically forces size of all SYN packets sent to the tracker to have size of 4096 bytes. No doubts about that being a filtering issue now, Transmission's requests are fine. Of course this isn't a fix suggestion, I think most people would rather find another client that works than go that far to stick with what they have. If there's anyone who wants to try this, I can walk you through (at least on Debian). « Last Edit: August 03, 2019, 07:05:17 pm by Piteras00 » Change <...>announce.php to <...>announce.php?scrape on BakaBT 3.00 still needs to be whitelisted by the tracker... fyi if you are using it. — You are receiving this because you commented. Reply to this email directly, view it on GitHub<#964 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADUNNIWQUSUC4L25NUFG5V3RRJ7H7ANCNFSM4IJDNHNQ>.

[ckerr]

There is a lot of discussion here, so just to make sure I haven't missed some context: all that's needed here is, when we reduce the sndbuf / rcvbuf size e.g. for scrapes and announces, to use 4096 as the floor, correct?

[neheb]

Yes.

An alternate fix is with sysctl:

# Some firewalls block SYN packets that are too small
net.ipv4.tcp_adv_win_scale = 4