[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: enable tcp_syncookies by default?



On Thu, Jan 13, 2005 at 08:00:28PM +0100, Iago Rubio wrote:
> But ITOH I'm not sure to ship a broken TCP implementation by default
> should be a great idea, even while this broken implementation can help
> during a syn flood attack - but not solve it.
> 
> It will also break TCP extensions as T/TCP.
> 
> In fact, against a serious syn flood there's nothing your box can do,
> even with syncookies enabled. 
> 
> You will end loosing legitimate connections.

SYN cookies will not be used unless the SYN queue is full, if the queue is
full the connection would be dropped if SYN cookies are not enabled.  Using
cookies lets you serve the majority of clients instead of none at all. The
document you quoted says that SYN cookies should not be as a fallback
facility when legitimate traffic is overwhelming the server.

>From linux 2.4.24 net/ipv/tcp_ipv4.c:
 1417   if (tcp_synq_is_full(sk) && !isn) {
 1418  #ifdef CONFIG_SYN_COOKIES
 1419           if (sysctl_tcp_syncookies) {
 1420                   want_cookie = 1;
 1421           } else
 1422  #endif
 1423           goto drop;
 1424   }

Cheers,
Oskari


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]