On Wed, May 08, 2002 at 01:45:32AM +0800, Patrick Hsieh wrote: > Hello Vincent Hanquez <[EMAIL PROTECTED]>, > > But this option seems to bring some side-effect. Is there any > alternative? > > tcp_syncookies - BOOLEAN > Only valid when the kernel was compiled with CONFIG_SYNCOOKIES > Send out syncookies when the syn backlog queue of a socket > overflows. This is to prevent against the common 'syn flood attack' > Default: FALSE > > Note, that syncookies is fallback facility. > It MUST NOT be used to help highly loaded servers to stand > against legal connection rate. If you see synflood warnings > in your logs, but investigation shows that they occur > because of overload with legal connections, you should tune > another parameters until this warning disappear. > See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. > > syncookies seriously violate TCP protocol, do not allow > to use TCP extensions,
TCP extensions work normally when you aren't being SYN flooded, IIRC. DJB is one of the co-designers of SYN cookies. Read his explanation at http://cr.yp.to/syncookies.html. > can result in serious degradation > of some services (f.e. SMTP relaying), visible not by you, > but your clients and relays, contacting you. While you see > synflood warnings in logs not being really flooded, your server > is seriously misconfigured. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
