[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcp_syncookies

On Mon, May 13, 2002 at 04:08:27AM -0700, sim ton wrote:
> hi,
> i wanna be protected against syn flood attack ... ok ...
> but i don't really know what is the best solution :
>   iptables -A FORWARD -p tcp --syn -m limit --limit 1/s ACCEPT
> or 
>   # Enable TCP SYN Cookie Protection
>   #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> are there the same or not ???

Totally different. The first limits your system to an connection rate of 1
connect per second, this will affect users if you have a heavyly used
server, therwise it will prevent system overload by connects. If the main
purpose of your system is not serving connections, the rate limit does help
to limit the affect of connection flooding.

The second one is more specifically aimed towards syn floods and will not
impact normal operations, cause syn cookies are only used if ressources get
used up by a syn flood.

If you use syn cookies, make sure to observe your kernels log and make sure
that kernel is not sending syn cookies in normal load situations, cause this
will decrease the TCP performance of the clients. There are parameters to
tune, to make kernel wait longer before syn cookies are enabled. on small
sized servers you do not need to tune this setting.


To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: