Re: tcp_syncookies

To: <debian-firewall@lists.debian.org>
Subject: Re: tcp_syncookies
From: Daniel Pittman <daniel@rimspace.net>
Date: Mon, 13 May 2002 22:11:23 +1000
Message-id: <[🔎] 87r8kgp7ro.fsf@enki.rimspace.net>
In-reply-to: <[🔎] KKCJKMELFJDFFAAA@mailcity.com> ("sim ton"'s message of "Mon, 13 May 2002 04:08:27 -0700")
References: <[🔎] KKCJKMELFJDFFAAA@mailcity.com>

On Mon, 13 May 2002, sim ton wrote:
> i wanna be protected against syn flood attack ... ok ...
> but i don't really know what is the best solution :
>   iptables -A FORWARD -p tcp --syn -m limit --limit 1/s ACCEPT
> or 
>   # Enable TCP SYN Cookie Protection
>   #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> 
> are there the same or not ???

No, they are not the same. The iptables rule you specify limits your
system to accepting one connection per second, a fairly small number.

The SYN cookies activation allows your system to accept an unlimited
number of TCP connections[1] while still trying to give reasonable
service during a denial of service attack.

The second is the preferable technique.
        Daniel

Footnotes: 
[1]  For values of unlimited up to those supported by the software and
     hardware. :)

-- 
I have never seen a bad television program, because I refuse to.
God gave me a mind, and a wrist that turns things off.
        -- Jack Paar


-- 
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- tcp_syncookies
  - From: "sim ton" <firewall38@lycos.com>

Prev by Date: tcp_syncookies
Next by Date: Tcp Syncookies vulnarability
Previous by thread: tcp_syncookies
Next by thread: Re: tcp_syncookies
Index(es):
- Date
- Thread