[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: enable tcp_syncookies by default?

On Thu, 2005-01-13 at 16:48, Pekka Savola wrote:
> On Thu, 13 Jan 2005, Iago Rubio wrote:
> > Default settings should be for the most common configuration,
> By that logic, syn cookies should be enabled.
> It's 2005.  Computers are connected to the net, period.

Yes, I know. 

I've got right now 5 computers connected to the net around me, 8
computers in my home LAN.  

None of them can be target of syn floods from Internet.

As I'm sure you now, one computer can access the net without been facing

A route from your lan to Internet does not make your machine a target of
syn flood attacks.

>From a desktop user's prespective, with no server running, syncookies
have nothing to do enabled, as you need at least one open port to
trigger a syn flood.

Computers connected to Internet, does not mean computers target of syn
floods at all. 

Only servers connected to Internet have this risk.
> It's better to err in the side of caution, you know.

I agree with you.

But ITOH I'm not sure to ship a broken TCP implementation by default
should be a great idea, even while this broken implementation can help
during a syn flood attack - but not solve it.

It will also break TCP extensions as T/TCP.

In fact, against a serious syn flood there's nothing your box can do,
even with syncookies enabled. 

You will end loosing legitimate connections.

Iago Rubio

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]