On Thu, 23 Oct 2008, KimOlsen wrote: >> "...option causes the system to violate the TCP standard..." > I do not think this is the case. If you check RFC4732 they list this as > a possible way to help against DoS attacks.
> I also believe that window scaling is not affected, but large windows > are. But accepting legit traffic without large windows is better than > dropping the connections. Note, that, seemingly, as of Linux 2.6.26, tcp connections with "large windows" can now be accepted under syn-flood too! So, even that, no longer matters, seemingly... > So if the implementation is an adaptive one that only use SYN > cookies when under huge load, then I am all for this. Yes, it is. Linux produces messages on the kernel log, to say "sending cookies" when this happens. I.e. SYN-cookies do NOT come into play unless there is a high load of incoming connections. I can understand that some systems receiving a legitimately high number of connections, it may be necessary to increase the net.ipv4.tcp_max_syn_backlog (or whatever it is, exactly) to avoid the use of cookies... but that *still* does not create any reason not to have set tcp_syncookies=1 !! > At least in the server edition. I don't see why the install CD type matters, myself... Any install can result in some use of TCP listening sockets somewhere! Also... that then means extra work to setup different sysctl settings based upon install-disk... But thats' only my thoughts... It would be good to get this sorted-out properly... But I don't know what other information is needed. I guess the problem is not information.. in this world of information-overload ;-). If Ubuntu networking team, don't want to change the setting, they don't want to change the setting... puzzling... --Simon -- proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense... https://bugs.launchpad.net/bugs/57091 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs