[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: enable tcp_syncookies by default?

From: Oskari Saarenmaa <os sumu org>
To: Development discussions related to Fedora Core <fedora-devel-list redhat com>
Subject: Re: enable tcp_syncookies by default?
Date: Thu, 13 Jan 2005 21:20:23 +0200

On Thu, Jan 13, 2005 at 08:00:28PM +0100, Iago Rubio wrote:
> But ITOH I'm not sure to ship a broken TCP implementation by default
> should be a great idea, even while this broken implementation can help
> during a syn flood attack - but not solve it.
> 
> It will also break TCP extensions as T/TCP.
> 
> In fact, against a serious syn flood there's nothing your box can do,
> even with syncookies enabled. 
> 
> You will end loosing legitimate connections.

SYN cookies will not be used unless the SYN queue is full, if the queue is
full the connection would be dropped if SYN cookies are not enabled.  Using
cookies lets you serve the majority of clients instead of none at all. The
document you quoted says that SYN cookies should not be as a fallback
facility when legitimate traffic is overwhelming the server.

>From linux 2.4.24 net/ipv/tcp_ipv4.c:
 1417   if (tcp_synq_is_full(sk) && !isn) {
 1418  #ifdef CONFIG_SYN_COOKIES
 1419           if (sysctl_tcp_syncookies) {
 1420                   want_cookie = 1;
 1421           } else
 1422  #endif
 1423           goto drop;
 1424   }

Cheers,
Oskari

References:
- enable tcp_syncookies by default?
  - From: Marius Andreiana
- Re: enable tcp_syncookies by default?
  - From: Iago Rubio
- Re: enable tcp_syncookies by default?
  - From: Pekka Savola
- Re: enable tcp_syncookies by default?
  - From: Iago Rubio

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]