Hi all,
it seems to be clear that "tcp_syncookie" (beside others) might help to
better prevent/survive syn flood attacks. So why is this option not
enabled by default?
When searching the web for negative impact of enabeling syn_cookies, i
found lots of posts, saying "it's a fallback facility" and "must not be
used on highly loaded servers". That it "violates TCP protocol" and
"does not allow to use TCP extensions".
On the other hand i found, that are all rumors of the "SYN cookie
monster" stated by D.J. Bernstein on "http://cr.yp.to/syncookies.html";.
So my question is, is it ok to enable "tcp_syncookies" on higly loaded
servers by default without any negative impact(s) or if it would be
better to change kernel configuration to make use of this feature only
in certain situations.
Could you please shed some light on this.
Best regards - philipp
--
Mit freundlichen Grüßen
Philipp Herz
Ihr Profihost Team
-------------------------------
Profihost AG
Am Mittelfelde 29
30519 Hannover
Deutschland
Tel.: +49 (511) 5151 8000 | Fax.: +49 (511) 5151 8299
URL: www.profihost.com | E-Mail: info@xxxxxxxxxxxxx
Sitz der Gesellschaft: Hannover, USt-IdNr. DE813460827
Registergericht: Amtsgericht Hannover, Register-Nr.: HRB 202350
Vorstand: Cristoph Bluhm, Sebastian Bluhm, Stefan Priebe
Aufsichtsrat: Prof. Dr. iur. Winfried Huck (Vorsitzender)
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
