Hi, as far as I know it disables TCP window scaling which can have a significant impact on TCP performance, especially on fast links. Additionally, SYN-flooding attacks seem to occur less often than in the 90s so it sh/could be an non-issue anyway. Best Regards, Benjamin Kiessling On 2010.11.15 15:00:57 +0100, Philipp Herz - Profihost AG wrote: > Hi all, > > it seems to be clear that "tcp_syncookie" (beside others) might help > to better prevent/survive syn flood attacks. So why is this option > not enabled by default? > > When searching the web for negative impact of enabeling syn_cookies, > i found lots of posts, saying "it's a fallback facility" and "must > not be used on highly loaded servers". That it "violates TCP > protocol" and "does not allow to use TCP extensions". > > On the other hand i found, that are all rumors of the "SYN cookie > monster" stated by D.J. Bernstein on > "http://cr.yp.to/syncookies.html";. > > So my question is, is it ok to enable "tcp_syncookies" on higly > loaded servers by default without any negative impact(s) or if it > would be better to change kernel configuration to make use of this > feature only in certain situations. > > Could you please shed some light on this. -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
