Re: tcp syn flood and /proc configuration
On Wed, May 08, 2002 at 01:45:32AM +0800, Patrick Hsieh wrote:
> Hello Vincent Hanquez <email@example.com>,
> But this option seems to bring some side-effect. Is there any
> tcp_syncookies - BOOLEAN
> Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
> Send out syncookies when the syn backlog queue of a socket
> overflows. This is to prevent against the common 'syn flood attack'
> Default: FALSE
> Note, that syncookies is fallback facility.
> It MUST NOT be used to help highly loaded servers to stand
> against legal connection rate. If you see synflood warnings
> in your logs, but investigation shows that they occur
> because of overload with legal connections, you should tune
> another parameters until this warning disappear.
> See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
> syncookies seriously violate TCP protocol, do not allow
> to use TCP extensions,
TCP extensions work normally when you aren't being SYN flooded, IIRC.
DJB is one of the co-designers of SYN cookies. Read his explanation at
> can result in serious degradation
> of some services (f.e. SMTP relaying), visible not by you,
> but your clients and relays, contacting you. While you see
> synflood warnings in logs not being really flooded, your server
> is seriously misconfigured.
#define X(x,y) x##y
Peter Cordes ; e-mail: X(firstname.lastname@example.org. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org