[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcp_syncookies

On Mon, 13 May 2002, sim ton wrote:
> i wanna be protected against syn flood attack ... ok ...
> but i don't really know what is the best solution :
>   iptables -A FORWARD -p tcp --syn -m limit --limit 1/s ACCEPT
> or 
>   # Enable TCP SYN Cookie Protection
>   #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> are there the same or not ???

No, they are not the same. The iptables rule you specify limits your
system to accepting one connection per second, a fairly small number.

The SYN cookies activation allows your system to accept an unlimited
number of TCP connections[1] while still trying to give reasonable
service during a denial of service attack.

The second is the preferable technique.

[1]  For values of unlimited up to those supported by the software and
     hardware. :)

I have never seen a bad television program, because I refuse to.
God gave me a mind, and a wrist that turns things off.
        -- Jack Paar

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: