[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#520668: TCP SYN cookies

  Regarding the procps bug 520668 which was asking for the TCP SYN
cookies to be enabled by default, I've looked at the various emails
to and for.

While it does seem like it would be a good idea at times, there is not
a consensus that it is a good *default*  Nothing about this bug would
change peoples ability to edit sysctl.conf for their own setup.

Some important points brought up, paraphrased:
 * I disagree generally that if the default is 'off' then the best
   solution is always 'off'. Often new features are off by default,
   because they are new.
 * SYN cookies disable features, under attack this probably doesn't
   matter but under non-attack high loads it does [1]
 * SYN cookies solve one part of the overload problem, but are still put
   on the overloaded queue [2] - I actually see this as a good thing, 
   at least you know the new connections are verified

Significantly, from this bug's point of view, from Julien Cristau [3]:
> I believe procps is the wrong place to make this change.  If we decide
> that syncookies should be enabled, then that should be done in the
> linux-2.6 package, IMO
I happen to agree and in future I'll treat further sysctl key options
like this:
  * Generally a bad idea or only for very specific circumstances - close
  * Something useful for some subset of Debian machines - commented out
    in sysctl.conf
  * Something everyone should have - reassign to the kernel

The TCP syn cookies is alreeady a commented out line in sysctl.conf
Should it be the default for everyone? Then if so the kernel folk
can decide, I'm re-assigning it to the kernel package.

 - Craig

[1] http://lists.debian.org/debian-devel/2010/02/msg00296.html
[2] http://lists.debian.org/debian-devel/2010/02/msg00314.html
[3] http://lists.debian.org/debian-devel/2010/02/msg00278.html 
Craig Small      GnuPG:1C1B D893 1418 2AF4 45EE  95CB C76C E5AC 12CA DFA5
http://www.enc.com.au/                             csmall at : enc.com.au
http://www.debian.org/          Debian GNU/Linux, software should be Free 

Attachment: signature.asc
Description: Digital signature

Reply to: