enable tcp_syncookies by default?
Iago Rubio
iago.rubio at hispalinux.es
Thu Jan 13 18:31:58 UTC 2005
On Thu, 2005-01-13 at 17:36, Oskari Saarenmaa wrote:
> On Thu, Jan 13, 2005 at 11:09:35AM -0500, Jeff Spaleta wrote:
> > How does this scale with network activity and hardware resources?
> > Where are the cases where this becomes noticable?
>
> Note that syncookies are not used until the synqueue is full, so unless the
> server is under attack everything proceeds just as it would with syncookies
> turned off. They are only enabled when the queue fills up, and in that case
> spending a bit more (I don't have any numbers on this) CPU time should be
> favourable to not being able to answer incoming requests.
Hmmm ... so, Why I used to read things like that ?
[quote]
syncookies seriously violate TCP protocol, do not allow to use TCP
extensions, can result in serious degradation of some services (f.e.
SMTP relaying), visible not by you, but your clients and relays,
contacting you.
[/quote]
You can read it with this command on your system:
vi +159 `locate ip-sysctl.txt`
> I run a fairly busy database-heavy website on a lowend
> PC (1.2ghz athlon)
It seems "lowend" does not have the same meaning here in Spain :)
> that gets around a million hits per day - and also gets SYN flooded every
> now and then. After I enabled syncookies on the server it has always
> managed to serve all valid requests.
>
> So.. is there a reason why they are not enabled by default?
1.- Violates TCP protocol
2.- You can't use extensions as T/TCP with syncookies.
3.- Can result in serious degradation of some services.
Not my words, it's in the kernel documentation.
Cheers.
--
Iago Rubio
More information about the fedora-devel-list
mailing list