TCP_SYNCOOKIES - Negative impact(s) when enabled?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hi all,

it seems to be clear that "tcp_syncookie" (beside others) might help to better prevent/survive syn flood attacks. So why is this option not enabled by default?

When searching the web for negative impact of enabeling syn_cookies, i found lots of posts, saying "it's a fallback facility" and "must not be used on highly loaded servers". That it "violates TCP protocol" and "does not allow to use TCP extensions".

On the other hand i found, that are all rumors of the "SYN cookie monster" stated by D.J. Bernstein on "";.

So my question is, is it ok to enable "tcp_syncookies" on higly loaded servers by default without any negative impact(s) or if it would be better to change kernel configuration to make use of this feature only in certain situations.

Could you please shed some light on this.

Best regards - philipp

Mit freundlichen Grüßen
  Philipp Herz
Ihr Profihost Team


Profihost AG
Am Mittelfelde 29
30519 Hannover

Tel.: +49 (511) 5151 8000     | Fax.: +49 (511) 5151 8299
URL:  | E-Mail: info@xxxxxxxxxxxxx

Sitz der Gesellschaft: Hannover, USt-IdNr. DE813460827
Registergericht: Amtsgericht Hannover, Register-Nr.: HRB 202350
Vorstand: Cristoph Bluhm, Sebastian Bluhm, Stefan Priebe
Aufsichtsrat: Prof. Dr. iur. Winfried Huck (Vorsitzender)
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Photo]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]     [Video 4 Linux]