tcp_syncookie question
Bill Davidsen
davidsen at tmr.com
Wed Jun 1 18:20:12 UTC 2011
Genes MailLists wrote:
> On 06/01/2011 12:57 PM, Bruno Wolff III wrote:
>> On Wed, Jun 01, 2011 at 11:09:35 -0400,
>>
>> Unless there is some other alternate way to maintain state in the packets,
>> the DoS attacks will still work. If you aren't worried about those you
>> could turn it off.
>>
>> Also, my memory is that there is a threshold for switching to syn cookies.
>> I don't remember where I saw the reference, but if that is correct, you
>> shouldn't be using them unless your machine is fielding lots of connections.
>
> I believe there was a proposal a few years ago but I don't know what
> became of it.
>
> I too recall a threshold below which there should be no effect - that
> said I also kind of recall it impacting some other tcp options (window
> scaling in particular was squeezed out if I remember right to make room
> for the cookie) ...
>
> and therefore some performance degradation when the machine gets busy
> ... so its never been totally problem free in that sense ...
>
>
Depending on what you do, more than "some." As physical distance goes up and
speed goes up, the penalty for small window size goes up as well. Pulling a
TB/day or so from NY to CA I used large window sizes to make it possible.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the users
mailing list