enable tcp_syncookies by default?
Iago Rubio
iago.rubio at hispalinux.es
Thu Jan 13 19:00:28 UTC 2005
On Thu, 2005-01-13 at 16:48, Pekka Savola wrote:
> On Thu, 13 Jan 2005, Iago Rubio wrote:
> > Default settings should be for the most common configuration,
>
> By that logic, syn cookies should be enabled.
>
> It's 2005. Computers are connected to the net, period.
Yes, I know.
I've got right now 5 computers connected to the net around me, 8
computers in my home LAN.
None of them can be target of syn floods from Internet.
As I'm sure you now, one computer can access the net without been facing
it.
A route from your lan to Internet does not make your machine a target of
syn flood attacks.
>From a desktop user's prespective, with no server running, syncookies
have nothing to do enabled, as you need at least one open port to
trigger a syn flood.
Computers connected to Internet, does not mean computers target of syn
floods at all.
Only servers connected to Internet have this risk.
> It's better to err in the side of caution, you know.
I agree with you.
But ITOH I'm not sure to ship a broken TCP implementation by default
should be a great idea, even while this broken implementation can help
during a syn flood attack - but not solve it.
It will also break TCP extensions as T/TCP.
In fact, against a serious syn flood there's nothing your box can do,
even with syncookies enabled.
You will end loosing legitimate connections.
Regards.
--
Iago Rubio
More information about the fedora-devel-list
mailing list