From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mike@fly.osdn.org.ua>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on sa.int.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham
	version=3.2.5
Date: Sat, 19 Sep 2009 14:20:11 +0300
From: Michael Shigorin <mike@osdn.org.ua>
To: community@lists.altlinux.org
Message-ID: <20090919112011.GC28241@osdn.org.ua>
Mail-Followup-To: community@lists.altlinux.org
References: <200909162111.33632.marsden@mail.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <200909162111.33632.marsden@mail.ru>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [Comm] =?koi8-r?b?a3RvcnJlbnQgJiDMz8fJ?=
X-BeenThere: community@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: shigorin@gmail.com, ALT Linux Community general discussions
	<community@lists.altlinux.org>
List-Id: ALT Linux Community general discussions <community.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/community>,
	<mailto:community-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/community>
List-Post: <mailto:community@lists.altlinux.org>
List-Help: <mailto:community-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/community>,
	<mailto:community-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2009 11:20:30 -0000
Archived-At: <http://lore.altlinux.org/community/20090919112011.GC28241@osdn.org.ua/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>

On Wed, Sep 16, 2009 at 09:11:33PM +0600, Denis Nazarov wrote:
> Наблюдаю в /var/log/messages следующее
> localhost kernel: possible SYN flooding on port 52722. Sending cookies.
> и так много-много раз. На этом порту сидит ktorrent на раздаче,
> подозреваю, что система так реагирует на подключения трекера.
> Насколько это страшно и можно ли отучить систему реагировать?

Например, net.ipv4.tcp_max_syn_backlog = 1024 в /etc/sysctl.conf

> И какие куки и куда кернел отсылает?

Боевые, на потенциального супостата. :]

---
tcp_syncookies - BOOLEAN
        Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
        Send out syncookies when the syn backlog queue of a socket
        overflows. This is to prevent against the common 'SYN flood attack'
        Default: FALSE

        Note, that syncookies is fallback facility.
        It MUST NOT be used to help highly loaded servers to stand
        against legal connection rate. If you see SYN flood warnings
        in your logs, but investigation shows that they occur
        because of overload with legal connections, you should tune
        another parameters until this warning disappear.
        See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

        syncookies seriously violate TCP protocol, do not allow
        to use TCP extensions, can result in serious degradation
        of some services (f.e. SMTP relaying), visible not by you,
        but your clients and relays, contacting you. While you see
        SYN flood warnings in logs not being really flooded, your server
        is seriously misconfigured.
--- Documentation/networking/ip-sysctl.txt

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/