enable tcp_syncookies by default?
Oskari Saarenmaa
os at sumu.org
Thu Jan 13 16:36:19 UTC 2005
On Thu, Jan 13, 2005 at 11:09:35AM -0500, Jeff Spaleta wrote:
> How does this scale with network activity and hardware resources?
> Where are the cases where this becomes noticable?
Note that syncookies are not used until the synqueue is full, so unless the
server is under attack everything proceeds just as it would with syncookies
turned off. They are only enabled when the queue fills up, and in that case
spending a bit more (I don't have any numbers on this) CPU time should be
favourable to not being able to answer incoming requests.
I run a fairly busy database-heavy website on a lowend PC (1.2ghz athlon)
that gets around a million hits per day - and also gets SYN flooded every
now and then. After I enabled syncookies on the server it has always
managed to serve all valid requests.
So.. is there a reason why they are not enabled by default?
Cheers,
Oskari
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20050113/7385a570/attachment.sig>
More information about the fedora-devel-list
mailing list