Re: tcp syn flood and /proc configuration
On Wed, May 08, 2002 at 01:45:32AM +0800, Patrick Hsieh wrote:
> Hello Vincent Hanquez <tab@crans.org>,
>
> But this option seems to bring some side-effect. Is there any
> alternative?
>
> tcp_syncookies - BOOLEAN
> Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
> Send out syncookies when the syn backlog queue of a socket
> overflows. This is to prevent against the common 'syn flood attack'
> Default: FALSE
>
> Note, that syncookies is fallback facility.
> It MUST NOT be used to help highly loaded servers to stand
> against legal connection rate. If you see synflood warnings
> in your logs, but investigation shows that they occur
> because of overload with legal connections, you should tune
> another parameters until this warning disappear.
> See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
>
> syncookies seriously violate TCP protocol, do not allow
> to use TCP extensions,
TCP extensions work normally when you aren't being SYN flooded, IIRC.
DJB is one of the co-designers of SYN cookies. Read his explanation at
http://cr.yp.to/syncookies.html.
> can result in serious degradation
> of some services (f.e. SMTP relaying), visible not by you,
> but your clients and relays, contacting you. While you see
> synflood warnings in logs not being really flooded, your server
> is seriously misconfigured.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: