[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Stupid Question: How to enable TCP SYN cookies.
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Stupid Question: How to enable TCP SYN cookies.
- From: HKSPKS_(_at_)_aol_(_dot_)_com
- Date: Sun, 27 Apr 2003 16:51:12 EDT
In a message dated 4/27/2003 5:56:47 AM Central Standard Time,
> On Sun, 2003-04-27 at 04:45, calyth wrote:
> > From the why Crytography page, it says TCP SYN cookies isn't enabled by
> Which page are you referring to? crypto.html has no reference to
> cookies that I see. AFAIK, SYN cookies were removed many moons ago.
> >I'm interested in getting it working because my firewall is using
> >OpenBSD (of course) and may benefit from the SYN cookies.
> >I know that I'm supposed to mess with options (4) and config (8), but I
> >cannot find any relevent information.
> >Could someone please tell me how to get this working, or a really good
> >reason why this isn't enabled by default anyways?
> Jason Dixon <jasondixon_(_at_)_myrealbox_(_dot_)_com>
As quoted from the whitefang.com link:
"The OpenBSD developers implemented a work-around that caused old half-open
TCP connections to be randomly dropped when new connection requests arrived
on a full backlog. This allowed new connections to be established even with a
constant SYN-flood taking place. The old bogus connections would be dropped
at the behest of a new connection, legitimate or not. The randomness was
implemented to be fair to all incoming connections. Although arguably with a
large enough flood this technique may fail, it did have good results as
tested by the developers."
If TCP cookies are no longer used in obsd, is this still the current method
for dropping half-open connections? Is this random-drop feature enabled by
default? If not, how can we enable it?
Visit your host, monkey.org