Re: tcp syn flood and /proc configuration
Hello Vincent Hanquez <tab@crans.org>,
But this option seems to bring some side-effect. Is there any
alternative?
tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common 'syn flood attack'
Default: FALSE
Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand
against legal connection rate. If you see synflood warnings
in your logs, but investigation shows that they occur
because of overload with legal connections, you should tune
another parameters until this warning disappear.
See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
syncookies seriously violate TCP protocol, do not allow
to use TCP extensions, can result in serious degradation
of some services (f.e. SMTP relaying), visible not by you,
but your clients and relays, contacting you. While you see
synflood warnings in logs not being really flooded, your server
is seriously misconfigured.
On Tue, 7 May 2002 17:39:12 +0200
Vincent Hanquez <tab@crans.org> wrote:
> On Tue, May 07, 2002 at 10:26:43PM +0800, Patrick Hsieh wrote:
> > Hello list,
> >
> > Is there anyone having any suggestion to tune the /proc/sys/net/ipv4/*
> > to avoid tcp syn flood attack?
>
> there a kernel option "IP: TCP syncookie support" to do that
> you can activate it with :
>
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> hope it helps
>
> --
> Tab
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Patrick Hsieh <pahud@pahud.net>
GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: