|
|
|
TCP_SYNCOOKIES - Negative impact(s) when enabled? | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
|
Hi all,it seems to be clear that "tcp_syncookie" (beside others) might help to better prevent/survive syn flood attacks. So why is this option not enabled by default?
When searching the web for negative impact of enabeling syn_cookies, i found lots of posts, saying "it's a fallback facility" and "must not be used on highly loaded servers". That it "violates TCP protocol" and "does not allow to use TCP extensions".
On the other hand i found, that are all rumors of the "SYN cookie monster" stated by D.J. Bernstein on "http://cr.yp.to/syncookies.html";.
So my question is, is it ok to enable "tcp_syncookies" on higly loaded servers by default without any negative impact(s) or if it would be better to change kernel configuration to make use of this feature only in certain situations.
Could you please shed some light on this. Best regards - philipp -- Mit freundlichen Grüßen Philipp Herz Ihr Profihost Team ------------------------------- Profihost AG Am Mittelfelde 29 30519 Hannover Deutschland Tel.: +49 (511) 5151 8000 | Fax.: +49 (511) 5151 8299 URL: www.profihost.com | E-Mail: info@xxxxxxxxxxxxx Sitz der Gesellschaft: Hannover, USt-IdNr. DE813460827 Registergericht: Amtsgericht Hannover, Register-Nr.: HRB 202350 Vorstand: Cristoph Bluhm, Sebastian Bluhm, Stefan Priebe Aufsichtsrat: Prof. Dr. iur. Winfried Huck (Vorsitzender) -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
[Netdev] [Ethernet Bridging] [Linux 802.1Q VLAN] [Linux Wireless] [Kernel Newbies] [Security] [Linux for Hams] [Netfilter] [Git] [Bugtraq] [Photo] [Yosemite] [Yosemite News and Information] [MIPS Linux] [ARM Linux] [Linux RAID] [Linux PCI] [Linux Admin] [Samba] [Video 4 Linux] [Linux Resources]