On Thu, Jan 13, 2005 at 08:00:28PM +0100, Iago Rubio wrote:
> But ITOH I'm not sure to ship a broken TCP implementation by default
> should be a great idea, even while this broken implementation can help
> during a syn flood attack - but not solve it.
>
> It will also break TCP extensions as T/TCP.
>
> In fact, against a serious syn flood there's nothing your box can do,
> even with syncookies enabled.
>
> You will end loosing legitimate connections.
SYN cookies will not be used unless the SYN queue is full, if the queue is
full the connection would be dropped if SYN cookies are not enabled. Using
cookies lets you serve the majority of clients instead of none at all. The
document you quoted says that SYN cookies should not be as a fallback
facility when legitimate traffic is overwhelming the server.
>From linux 2.4.24 net/ipv/tcp_ipv4.c:
1417 if (tcp_synq_is_full(sk) && !isn) {
1418 #ifdef CONFIG_SYN_COOKIES
1419 if (sysctl_tcp_syncookies) {
1420 want_cookie = 1;
1421 } else
1422 #endif
1423 goto drop;
1424 }
Cheers,
Oskari
