[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcp_syncookie

On Fri, 06 Oct 2000, Andreas Schuldei wrote:
> Why isn't 
> /proc/sys/net/ipv4/tcp_syncookies
> =1 in the default install?

Because it causes problems, and even the kernel people who designed it think
it is best to leave the thing disabled by default (which IS the reason why
it is not enabled by default).

You should search the -devel archives for past threads on this issue, I
think, or search the linux-devel archives if you really want more info.

> What drawbacks would that have? Would it not increase protection and security?

tcp syncookies are somewhat like extremely strong medicine. It tries to kill
the disease faster than it kills you :-)  

The short version is that tcp syncookies may cause high-traffic hosts to
leave clients hanging for no good reason, AFAIK.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Attachment: pgpZQwVHhHpBc.pgp
Description: PGP signature

Reply to: