On Fri, 12 Sep 2008, Kees Cook wrote: > Enabling syncookies disables TCP window scaling[1],
I think this is incorrect as-stated.... But this should be confirmed/proved/disproved. As far as I have found out elsewhere, the syn-cookies support in Linux is adaptive, and does NOT come into play unless there is an overflow of SYN_RECVD ... I.e. tcp window scaling DOES work with syncookies=1 -- just not when there is a real syn-flood-problem ... but... if syncookies was not enabled, such a connection would likely not succeed at all! -- what is better? ;-). (but --see below -- situation is now different with latest kernel!) > and in most situations, > existing SYN-flood protections in the kernel > already address most sorts of those attacks. What are these 'existing SYN-flood protections' and how do they work? Inceasing the backlog is simply increasing a finite limit -- randomly dropping SYN_RECVD entries also makes syn-flooding slightly less effective relateve to forged-syn-traffic -- but -- it still should not actually take much traffic to overload the finite limits on SYN_RECVD thereby making new legitimate connections unlikely to succeed. The crptographic cookie approach avoids the need for the syn packet backlog... and stops the repetition of syn+ack packehs in those cases. > In some situations (perhaps like what alecm3 was experiencing) > there are situations it might be needed, I suspect that... with a busy server with many clients connecting a lot and connecting from slow links, it may be necessary to raise net.ipv4.tcp_max_syn_backlog because of legitimate rate/number of such not-yet-completed incoming-connections. Its' worth reading this article:- http://lwn.net/Articles/277146/ Seemingly 2.6.26 now supports syncookies on ipv6 too, and now supports connections with window-scaling even if connection was saved by syncookies. Rather than having arguments over the value of the setting etc... -- How do we get this properly investigated and sorted out? --Simon -- proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense... https://bugs.launchpad.net/bugs/57091 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
