SynFloodProtection sets initial Window Size to 0 on Connections opened from Internal Devices in NSX-v
search cancel

SynFloodProtection sets initial Window Size to 0 on Connections opened from Internal Devices in NSX-v

book

Article ID: 321356

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article provides explanation on the behavior when SynFloodProtection is enabled in the NSX Edge.

Symptoms:
SynFloodProtection sets initial Window Size to 0 on Connections opened from Internal Devices.

Environment

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x

Resolution

Edge is using SYNPROXY target to implement SynFloodProtection. The workflow is:
  1. Mark the initial SYN from the client as UNTRACKED, and direct it to the SYNPROXY target.
  2. The SYNPROXY target responds with a SYN/ACK containing a cookie and encoded options such as window scaling factor, SACK perm, etc into the timestamp, if the timestamps are used (similar with TCP). Notice that the window size of this response is set to 0, also it is UNTRACKED sent to the client.
  3. When the SYNPROXY target (Edge) sends a window 0 to the client, it blocks further data transferring before it validates the cookie.
  4. In SYNPROXY target, when the final ACK from the client is received, the cookie is validated, the original options extracted and a SYN to the original destination (server) is generated. This SYN is using the advertised window size from the final ACK and the options from initial SYN.
  5. This SYN is not sent as UNTRACKED, so that from conntrack point of view, the client instantiates a new connection to the server.
  6. The original destination (server) responds SYN/ACK to SYNPROXY target, then a final ACK for the original destination (server) is generated.
  7. A window update with the window size announced by the original destination (server) is sent to the client. When the validation is passed, a window update is sent to the client to open the data transferring.
  8. From this point, the connection is handled off to conntrack as a normal process.

    Note: The above behavior might cause poor applications performance on the application startup, especially if the Edge is connected to a 3rd party load balancer. The loadbalancer will interpret Window size 0 as per the TCP standard which states that a sender must pause after receiving a win size 0.