Re: tcp_syncookies
On Mon, 13 May 2002, sim ton wrote:
> i wanna be protected against syn flood attack ... ok ...
> but i don't really know what is the best solution :
> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s ACCEPT
> or
> # Enable TCP SYN Cookie Protection
> #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> are there the same or not ???
No, they are not the same. The iptables rule you specify limits your
system to accepting one connection per second, a fairly small number.
The SYN cookies activation allows your system to accept an unlimited
number of TCP connections[1] while still trying to give reasonable
service during a denial of service attack.
The second is the preferable technique.
Daniel
Footnotes:
[1] For values of unlimited up to those supported by the software and
hardware. :)
--
I have never seen a bad television program, because I refuse to.
God gave me a mind, and a wrist that turns things off.
-- Jack Paar
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: