Re: TCP SYN cookies and Bug #520668
On Sat, 13 Feb 2010, Florian Weimer wrote:
> * Craig Small:
> > While initially skeptical, I can see that under high TCP loads having
> > some sort of connection is better than having no connection. Connections
> > with large windows will be dropped, but they would be anyhow.
> This argument ignores the non-attack overload case. Lack of window
> scaling may increase the load (in terms of the number of connections
> required for achieve a certain level of aggregated bandwidth), making
> such situations worse.
> (Window scaling is more important than it used to be because
> bandwidth-delay products tend to be larger these days.)
AIUI syn cookies will not affect anything while things are normal, that
is window scaling and other TCP options will still work as they should.
Once the syn queue gets full and new connections would be dropped syn
cookies start becoming active, still accepting connections but without
options such as window scaling enabled.
If your choice is to get no connection or a connection without the
window scale option which would you pick?
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/