[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcp syn flood and /proc configuration

On Wed, May 08, 2002 at 01:45:32AM +0800, Patrick Hsieh wrote:
> Hello Vincent Hanquez <tab@crans.org>,
> But this option seems to bring some side-effect. Is there any
> alternative?
> tcp_syncookies - BOOLEAN
>         Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
>         Send out syncookies when the syn backlog queue of a socket
>         overflows. This is to prevent against the common 'syn flood attack'
>         Default: FALSE
>         Note, that syncookies is fallback facility.
>         It MUST NOT be used to help highly loaded servers to stand
>         against legal connection rate. If you see synflood warnings
>         in your logs, but investigation shows that they occur
>         because of overload with legal connections, you should tune
>         another parameters until this warning disappear.
>         See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
>         syncookies seriously violate TCP protocol, do not allow
>         to use TCP extensions,

 TCP extensions work normally when you aren't being SYN flooded, IIRC.
 DJB is one of the co-designers of SYN cookies.  Read his explanation at

>         can result in serious degradation
>         of some services (f.e. SMTP relaying), visible not by you,
>         but your clients and relays, contacting you. While you see
>         synflood warnings in logs not being really flooded, your server
>         is seriously misconfigured.

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: