From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on sa.int.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.5 Date: Sat, 19 Sep 2009 14:20:11 +0300 From: Michael Shigorin To: community@lists.altlinux.org Message-ID: <20090919112011.GC28241@osdn.org.ua> Mail-Followup-To: community@lists.altlinux.org References: <200909162111.33632.marsden@mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200909162111.33632.marsden@mail.ru> User-Agent: Mutt/1.4.2.1i Subject: Re: [Comm] =?koi8-r?b?a3RvcnJlbnQgJiDMz8fJ?= X-BeenThere: community@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: shigorin@gmail.com, ALT Linux Community general discussions List-Id: ALT Linux Community general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Sep 2009 11:20:30 -0000 Archived-At: List-Archive: List-Post: On Wed, Sep 16, 2009 at 09:11:33PM +0600, Denis Nazarov wrote: > Наблюдаю в /var/log/messages следующее > localhost kernel: possible SYN flooding on port 52722. Sending cookies. > и так много-много раз. На этом порту сидит ktorrent на раздаче, > подозреваю, что система так реагирует на подключения трекера. > Насколько это страшно и можно ли отучить систему реагировать? Например, net.ipv4.tcp_max_syn_backlog = 1024 в /etc/sysctl.conf > И какие куки и куда кернел отсылает? Боевые, на потенциального супостата. :] --- tcp_syncookies - BOOLEAN Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack' Default: FALSE Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see SYN flood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see SYN flood warnings in logs not being really flooded, your server is seriously misconfigured. --- Documentation/networking/ip-sysctl.txt -- ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/