On Mon, Feb 15, 2010 at 08:53:26 +1100, Robert Collins wrote:
> On Sun, 2010-02-14 at 11:00 +0100, Florian Weimer wrote:
>
> > BTW, will users think that the current warning ("possible SYN flooding
> > on port %d. Sending cookies") always indicates an attack? Hopefully
> > not.
>
> I'm sure non
On Sun, 2010-02-14 at 11:00 +0100, Florian Weimer wrote:
> BTW, will users think that the current warning ("possible SYN flooding
> on port %d. Sending cookies") always indicates an attack? Hopefully
> not.
I'm sure non sysadmins will be confused by it- but they probably don't
look at dmesg anyh
* Peter Palfrader:
> On Sat, 13 Feb 2010, Florian Weimer wrote:
>
>> * Craig Small:
>>
>> > While initially skeptical, I can see that under high TCP loads having
>> > some sort of connection is better than having no connection. Connections
>> > with large windows will be dropped, but they would b
On Feb 14, Paul Wise wrote:
> Kinda a dissapointing thread, but it reveals a few points:
I see more handwaving than points.
--
ciao,
Marco
signature.asc
Description: Digital signature
On Sun, Feb 14, 2010 at 2:08 AM, Marco d'Itri wrote:
> On Feb 13, Ben Hutchings wrote:
>
>> The upstream default is that they are disabled. The onus is on
>> proponents to argue why this should be changed.
>
> The proposed rationale for the change is that SYN cookies are not used
> until the SYN
On Sat, 13 Feb 2010, Florian Weimer wrote:
> * Craig Small:
>
> > While initially skeptical, I can see that under high TCP loads having
> > some sort of connection is better than having no connection. Connections
> > with large windows will be dropped, but they would be anyhow.
>
> This argument
* Craig Small:
> While initially skeptical, I can see that under high TCP loads having
> some sort of connection is better than having no connection. Connections
> with large windows will be dropped, but they would be anyhow.
This argument ignores the non-attack overload case. Lack of window
sca
On Feb 13, Ben Hutchings wrote:
> The upstream default is that they are disabled. The onus is on
> proponents to argue why this should be changed.
The proposed rationale for the change is that SYN cookies are not used
until the SYN queue is full and at that point it is more useful to have
new TC
On Sat, 2010-02-13 at 18:24 +0100, Marco d'Itri wrote:
> On Feb 13, Ben Hutchings wrote:
>
> > I'm going to agree with Bastian here. Single-user systems won't need
> > this and system administrators can make their own choice.
> I do not really disagree with your argument, but can you or the othe
On Feb 13, Ben Hutchings wrote:
> I'm going to agree with Bastian here. Single-user systems won't need
> this and system administrators can make their own choice.
I do not really disagree with your argument, but can you or the other
people who oppose this explain more clearly why you consider en
On Sun, Feb 14, 2010 at 00:42:09 +1100, Craig Small wrote:
> My proposal is to change sysctl.conf so by default it will have TCP SYN
> cookies ENABLED. Anyone is quite able to change this but the default is
> proposed to be enabled.
>
> Before I make this change, I am emailling debian-devel for
On Sat, 2010-02-13 at 16:08 +0100, Bastian Blank wrote:
> On Sun, Feb 14, 2010 at 12:42:09AM +1100, Craig Small wrote:
> > Before I make this change, I am emailling debian-devel for comments. I
> > am looking in particular for information about why it could be harmful
> > (if it is).
>
> You forgo
On Sun, Feb 14, 2010 at 12:42:09AM +1100, Craig Small wrote:
> Before I make this change, I am emailling debian-devel for comments. I
> am looking in particular for information about why it could be harmful
> (if it is).
You forgot to mail the maintainer of the package you change the
configuration
Hello,
There has been a bug opened for a while to enable TCP SYN cookies by
default. The current situation is /etc/sysctl.conf has this option, but
it is commented out.
The procps (sysctl.conf) bug is http://bugs.debian.org/520668 you may
also like to read the discussion about tcp(7) man page at
14 matches
Mail list logo
