Re: Stupid Question: How to enable TCP SYN cookies.

[HKSPKS_(_at_)_aol_(_dot_)_com]

In a message dated 4/27/2003 5:56:47 AM Central Standard Time, 
jasondixon_(_at_)_myrealbox_(_dot_)_com writes:

> On Sun, 2003-04-27 at 04:45, calyth wrote:
> > From the why Crytography page, it says TCP SYN cookies isn't enabled by 
> >default.
> 
> Which page are you referring to?  crypto.html has no reference to
> cookies that I see.  AFAIK, SYN cookies were removed many moons ago.
> 
> >I'm interested in getting it working because my firewall is using 
> >OpenBSD (of course) and may benefit from the SYN cookies.
> >I know that I'm supposed to mess with options (4) and config (8), but I 
> >cannot find any relevent information.
> >Could someone please tell me how to get this working, or a really good 
> >reason why this isn't enabled by default anyways?
> 
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=104642630724331&w=2
> http://www.whitefang.com/sup/secure-faq.html#GENERAL5
> 
> -- 
> Jason Dixon <jasondixon_(_at_)_myrealbox_(_dot_)_com>
> 

As quoted from the whitefang.com link:
"The OpenBSD developers implemented a work-around that caused old half-open 
TCP connections to be randomly dropped when new connection requests arrived 
on a full backlog. This allowed new connections to be established even with a 
constant SYN-flood taking place. The old bogus connections would be dropped 
at the behest of a new connection, legitimate or not. The randomness was 
implemented to be fair to all incoming connections. Although arguably with a 
large enough flood this technique may fail, it did have good results as 
tested by the developers."

If TCP cookies are no longer used in obsd, is this still the current method 
for dropping half-open connections?  Is this random-drop feature enabled by 
default?  If not, how can we enable it?

Thanks,
Adam Wenzel