In an effort to prevent DDOS attacks I followed suggestions to leave /proc/sys/net/ipv4/tcp_syncookies value set to 1 in my linux box to enable TCP syncookies.
However, when I look at this URL: http://ckdake.com/content/2007/disadvantages-of-tcp-syn-cookies.html
It tells me that if I enable tcp_syncookies then half the tcp features including large window management will be disabled which could then reduce performance.
I read elsewhere that part of the purpose of syn cookies is to expand a tcp syn backlog buffer beyond its upper limit (via /proc/sys/net/ipv4/tcp_max_syn_backlog) when more packets come in so packets don’t drop.
I want to be able to disable syn cookies so I can take full advantage of tcp and make my server run faster and continue to not have DDOS attacks. I can easily increase the syn buffer and the maximum connections but I think theres a point where I’ll run out of memory if I go too high.
Does anyone have a good alternative method to syn cookies on a heavy server without potentially being attacked by DDOS? I want to enjoy features of TCP and serve content very fast to users.
Answer
Ubuntu 10.04 has default “sysctl.d/10-network-security.conf” setting below:
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions. When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1
Attribution
Source : Link , Question Author : Community , Answer Author : petertc