Re: TCP_SYNCOOKIES - Negative impact(s) when enabled?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

as far as I know it disables TCP window scaling which can have a significant
impact on TCP performance, especially on fast links. Additionally,
SYN-flooding attacks seem to occur less often than in the 90s so it sh/could
be an non-issue anyway.

Best Regards,
Benjamin Kiessling

On 2010.11.15 15:00:57 +0100, Philipp Herz - Profihost AG wrote:
> Hi all,
> 
> it seems to be clear that "tcp_syncookie" (beside others) might help
> to better prevent/survive syn flood attacks. So why is this option
> not enabled by default?
> 
> When searching the web for negative impact of enabeling syn_cookies,
> i found lots of posts, saying "it's a fallback facility" and "must
> not be used on highly loaded servers". That it "violates TCP
> protocol" and "does not allow to use TCP extensions".
> 
> On the other hand i found, that are all rumors of the "SYN cookie
> monster" stated by D.J. Bernstein on
> "http://cr.yp.to/syncookies.html";.
> 
> So my question is, is it ok to enable "tcp_syncookies" on higly
> loaded servers by default without any negative impact(s) or if it
> would be better to change kernel configuration to make use of this
> feature only in certain situations.
> 
> Could you please shed some light on this.
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux