Internet Explorer vs syn-flooding
I was playing with the firewall on my server and I thought that implementing syn-flood protection would be a Good Idea(TM). Famous last words…
Here’s what I did:
iptables -N syn-flood iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP
You may have noticed by now that a 1/s limit and a burst of 4 are not very happy settings… However, the server ran fairly well, so I completely forgot about it.
A couple of days later, people started complaining about web pages being really slow. I checked, and it turns out that the problem manifested itself only for Internet Explorer and, furthermore, only for the images on various pages. I ran over what I did to the server lately and eventually pinpointed the syn-flood rules as the culprit.
In restrospective, it was interesting to see that Explorer apparently throws quite a bunch of requests simultaneously at the server, and it got choked. I wouldn’t have picked up the problem on my own, since I use Firefox. The default network settings in about:config are apparently sane enough that even if there was a slight delay in loading the pages, it was nothing noticeable.
Eventually I decided to make an exception for HTTP(S), so I changed the rules to the following:
iptables -N syn-flood iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood for P in 80 443; do iptables -A syn-flood -p tcp –dport $P -j RETURN; done iptables -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN iptables -A syn-flood -j DROP
Perhaps I should change the limit values too… but since I’m the only person using services other than HTTP on that machine, and since I seem to get by fine, maybe I won’t.
The moral of the story: netfilter is not for playing with; and if 90% of your website visitors use Explorer, test the website in Explorer once in a while.