|
|
|
|
|
|
by zem
4147 days ago
|
|
|
i wasn't familiar with syncookies, but the article you linked to says > Syncookies are discouraged these days. They disable too many valuable TCP features (window scaling, SACK) and even without them the kernel is usually strong enough to defend against syn floods and systems have much more memory than they used to be. So I don't think it makes much sense to add more code to it, sorry. |
|
|
"I can trivially prevent any inbound client connections with 2 threads of syn flood. Enabling tcp_syncookies brings the connection handling back up to 725 fetches per second."
"This data compellingly supports the continued value of the syncookie and that position seems to have won the day."
Of course this refers to the Linux TCP/IP stack, the Mirage stack is completely different so it remains to be seen what measures will be effective against syn floods.