On Mon, May 13, 2002 at 04:08:27AM -0700, sim ton wrote: > hi, > > i wanna be protected against syn flood attack ... ok ... > but i don't really know what is the best solution : > iptables -A FORWARD -p tcp --syn -m limit --limit 1/s ACCEPT > or > # Enable TCP SYN Cookie Protection > #echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > are there the same or not ???
Totally different. The first limits your system to an connection rate of 1 connect per second, this will affect users if you have a heavyly used server, therwise it will prevent system overload by connects. If the main purpose of your system is not serving connections, the rate limit does help to limit the affect of connection flooding. The second one is more specifically aimed towards syn floods and will not impact normal operations, cause syn cookies are only used if ressources get used up by a syn flood. If you use syn cookies, make sure to observe your kernels log and make sure that kernel is not sending syn cookies in normal load situations, cause this will decrease the TCP performance of the clients. There are parameters to tune, to make kernel wait longer before syn cookies are enabled. on small sized servers you do not need to tune this setting. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
