enable tcp_syncookies by default?
Jeff Spaleta
jspaleta at gmail.com
Thu Jan 13 16:09:35 UTC 2005
On Thu, 13 Jan 2005 10:33:10 +0200, Marius Andreiana
<mandreiana at rdslink.ro> wrote:
> Enabling SYN cookies is a very simple way to defeat SYN flood attacks
> while using only a bit more CPU time for the cookie creation and
> verification. Since the alternative is to reject all incoming
> connections, enabling SYN cookies is an obvious choice.
only a bit more CPU time?
Are there any hard numbers here to use to evaluate the trade-off more
quantiatively?
In what sort of load situations would you start to notice the cpu hit?
Are we talking about a 400 Mhz pentium running a small public web server?
Are we talking about a typical desktop/workstation install on middle
of the road current hardware?
Does a very active web server on reasonable modern hardware see the
cpu hit because of its high network traffic?
How does this scale with network activity and hardware resources?
Where are the cases where this becomes noticable?
-jef
More information about the fedora-devel-list
mailing list