enable tcp_syncookies by default?
Jeff Spaleta
jspaleta at gmail.com
Thu Jan 13 16:59:27 UTC 2005
On Thu, 13 Jan 2005 18:36:19 +0200, Oskari Saarenmaa <os at sumu.org> wrote:
> Note that syncookies are not used until the synqueue is full, so unless the
> server is under attack everything proceeds just as it would with syncookies
> turned off. They are only enabled when the queue fills up, and in that case
> spending a bit more (I don't have any numbers on this) CPU time should be
> favourable to not being able to answer incoming requests.
Seems reasonable to me. I asked just as a clarification. If your
explanation as to when in the process the syncookies have to be dealt
with is correct... then the performance tradeoff is a non-issue. Other
post(s) have implied there is a cpu hit during non-attacked
situations, but if thre isn't then there isnt a concern here.
-jef
More information about the fedora-devel-list
mailing list