From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: Enable syn cookies by default Date: Wed, 21 Oct 2009 09:25:06 +0200 Message-ID: <4ADEB752.50103@gmail.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: netdev@vger.kernel.org To: Olaf van der Spek Return-path: Received: from gw1.cosmosbay.com ([212.99.114.194]:54478 "EHLO gw1.cosmosbay.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750851AbZJUHZE (ORCPT ); Wed, 21 Oct 2009 03:25:04 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: Olaf van der Spek a =C3=A9crit : > On Thu, Oct 15, 2009 at 10:59 AM, Olaf van der Spek > wrote: >> On Sat, Oct 10, 2009 at 3:01 PM, Olaf van der Spek wrote: >>> Hi, >>> >>> I'm forwarding Debian feature request #520668. >>> >>> Could syn cookies be enabled by default? >>> >>> AFAIK syn cookies only get send when the half-open TCP connection >>> queue is full. So stuff like window scaling should work fine in nor= mal >>> situations. >>> >>> Speaking of which: >>> When the half-open TCP connection queue is full and syn cookies are >>> enabled, you get a message like "kernel: possible SYN flooding on p= ort >>> 2710. Sending cookies." >>> However when syn cookies are disabled, you don't get any message (i= n >>> kern.log), although connections to your server are timing out. >>> Could such a message be added? >>> Maybe with a suggestion to increase the size of that queue or to >>> enable syn cookies. >>> >>> Greetings, >>> >>> Olaf >>> >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D520668 >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D520667 >>> https://bugs.launchpad.net/ubuntu/+bug/57091 >>> >> Somebody? >=20 > Anybody? This is a user selectable setting. What's wrong with /etc/sysctl.conf ?