From: William Allen Simpson <william.allen.simpson@gmail.com>
To: netdev@vger.kernel.org
Subject: Re: Enable syn cookies by default
Date: Wed, 21 Oct 2009 05:16:54 -0400 [thread overview]
Message-ID: <4ADED186.3040300@gmail.com> (raw)
In-Reply-To: <b2cc26e40910210048y43bdb604pcd356376a93c41e@mail.gmail.com>
Olaf van der Spek wrote:
> On Wed, Oct 21, 2009 at 9:25 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> This is a user selectable setting. What's wrong with /etc/sysctl.conf ?
>
> It requires user action...
> Often you notice cookies are disabled only after a service becomes unreachable.
> What's wrong with improving defaults?
I've not been a regular contributor here, so I'm not sure that my view has
much weight, but I'm *against* changing the coded default.
Keep in mind that I'm busy trying to replace syncookies with real cookies,
so I'm biased. The syncookies interfere with new options; although in
Linux, they interfere less than other systems.
For Ubuntu, the practice is complicated. In /etc/sysctl.conf, the text
assumes that the default is off:
# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
# and is not recommended.
#net.ipv4.tcp_syncookies=1
But in the default installed /etc/sysctl.d/10-network-security.conf, it
is explicitly on in any case:
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1
As Ubuntu is debian based, perhaps they can back-port the Ubuntu changes?
> Don't forget the missing log entries.
>
On this I agree. I'd like the system to syslog it's under attack,
especially whenever syncookies are off.
next prev parent reply other threads:[~2009-10-21 9:16 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <b2cc26e40910100601q7aed04acjcc9973ef06e6458f@mail.gmail.com>
2009-10-11 10:26 ` Enable syn cookies by default Frans Pop
2009-10-15 8:59 ` Olaf van der Spek
2009-10-16 8:55 ` Jarek Poplawski
2009-10-16 19:01 ` Jarek Poplawski
2009-10-16 19:56 ` Florian Westphal
2009-10-16 19:49 ` [PATCH 1/2] syncookies: print synflood warning if syn queue is full Florian Westphal
2009-10-16 19:51 ` [PATCH 2/2] syncookies: enable by default Florian Westphal
2009-12-08 14:47 ` [PATCH 1/2] syncookies: print synflood warning if syn queue is full Olaf van der Spek
2009-12-08 21:09 ` David Miller
2010-01-27 17:01 ` Olaf van der Spek
2009-10-21 7:17 ` Enable syn cookies by default Olaf van der Spek
2009-10-21 7:25 ` Eric Dumazet
2009-10-21 7:48 ` Olaf van der Spek
2009-10-21 9:16 ` William Allen Simpson [this message]
2009-10-21 10:10 ` Olaf van der Spek
2009-10-21 18:36 ` William Allen Simpson
2009-10-21 18:45 ` Olaf van der Spek
2009-10-21 13:04 ` David Miller
2009-10-21 18:04 ` William Allen Simpson
2009-11-13 12:42 ` Olaf van der Spek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ADED186.3040300@gmail.com \
--to=william.allen.simpson@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).