From: William Allen Simpson <william.allen.simpson@gmail.com>
To: netdev@vger.kernel.org
Subject: Re: Enable syn cookies by default
Date: Wed, 21 Oct 2009 05:16:54 -0400 [thread overview]
Message-ID: <4ADED186.3040300@gmail.com> (raw)
In-Reply-To: <b2cc26e40910210048y43bdb604pcd356376a93c41e@mail.gmail.com>
Olaf van der Spek wrote:
> On Wed, Oct 21, 2009 at 9:25 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> This is a user selectable setting. What's wrong with /etc/sysctl.conf ?
>
> It requires user action...
> Often you notice cookies are disabled only after a service becomes unreachable.
> What's wrong with improving defaults?
I've not been a regular contributor here, so I'm not sure that my view has
much weight, but I'm *against* changing the coded default.
Keep in mind that I'm busy trying to replace syncookies with real cookies,
so I'm biased. The syncookies interfere with new options; although in
Linux, they interfere less than other systems.
For Ubuntu, the practice is complicated. In /etc/sysctl.conf, the text
assumes that the default is off:
# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
# and is not recommended.
#net.ipv4.tcp_syncookies=1
But in the default installed /etc/sysctl.d/10-network-security.conf, it
is explicitly on in any case:
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1
As Ubuntu is debian based, perhaps they can back-port the Ubuntu changes?
> Don't forget the missing log entries.
>
On this I agree. I'd like the system to syslog it's under attack,
especially whenever syncookies are off.
next prev parent reply other threads:[~2009-10-21 9:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-10 13:01 Enable syn cookies by default Olaf van der Spek
2009-10-11 10:26 ` Frans Pop
2009-10-15 8:59 ` Olaf van der Spek
2009-10-16 8:55 ` Jarek Poplawski
2009-10-16 19:01 ` Jarek Poplawski
2009-10-16 19:56 ` Florian Westphal
2009-10-16 19:49 ` [PATCH 1/2] syncookies: print synflood warning if syn queue is full Florian Westphal
2009-10-16 19:51 ` [PATCH 2/2] syncookies: enable by default Florian Westphal
2009-12-08 14:47 ` [PATCH 1/2] syncookies: print synflood warning if syn queue is full Olaf van der Spek
2009-12-08 21:09 ` David Miller
2010-01-27 17:01 ` Olaf van der Spek
2009-10-21 7:17 ` Enable syn cookies by default Olaf van der Spek
2009-10-21 7:25 ` Eric Dumazet
2009-10-21 7:48 ` Olaf van der Spek
2009-10-21 9:16 ` William Allen Simpson [this message]
2009-10-21 10:10 ` Olaf van der Spek
2009-10-21 18:36 ` William Allen Simpson
2009-10-21 18:45 ` Olaf van der Spek
2009-10-21 13:04 ` David Miller
2009-10-21 18:04 ` William Allen Simpson
2009-11-13 12:42 ` Olaf van der Spek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ADED186.3040300@gmail.com \
--to=william.allen.simpson@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.