Why is tcp_syncookies off by default?
This is a discussion on Why is tcp_syncookies off by default? within the Linux Security forums, part of the System Security and Security Related category; The responses to the DoS posts here say to echo 1 >/proc/sys/net/ipv4/tcp_syncookies. Why is it ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-24-2004
|
|||
|
|||
Re: Why is tcp_syncookies off by default?
> The responses to the DoS posts here say to
> echo 1 >/proc/sys/net/ipv4/tcp_syncookies. > > Why is it not already 1? Is there some drawback/caveat/whatever? Google tells all. There are potential problems, such as denying legitimate connections on a truly busy enterprise server. Enabling ecn (explicit congestion notification, tcp_ecn) is also a good idea, but it's not default because it tends to break things on occasion. A sysadmin should be knowledgeable about these options and apply them when appropriate. Turning on tcp_syncookies during an attack is a Good Idea. -- Jem Berkes http://www.sysdesign.ca/ 
|
Linear Mode
