Philipp Snizek wrote:
Hi all
Yesterday there was a discussion about kernel options like tcp_syncookies. Exactly to this matter I hope to get an answer to the following:
Taken from http://www2.little-idiot.de/firewall/zusammen-49.html I quote:
Syn cookies sollte man ausschalten, zumal diese einen Angriff nur dann verhindern, wenn der Angreifer mit LINUX und aktivierten SYN Cookies arbeitet. Ansonsten sind diese fur DoS anfallig. End of quote.
Translation: Syn cookies should be disabled. An attack can only be prevented, if the attacker uses with Linux and SYN cookies activated as well. SYN cookies enabled is susceptible on DoS.
Please don't hang me because of translation erros.
Does anybody have more information (I do not mean www.bb-zone.com - I didn't find much there) about this? Whether it is true and mainly what DoS attacks it does not defend against?
Thank you Philipp
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
SYN cookies protect against TCP SYN flooding. They prevent DoS attacks of this type. TCP SYN flooding occurs when numerous connection requests with spoofed IP addresses are launched against a host by an attacker. Without SYN cookies enabled, the victim host tries in vain to service the connection requests - committing resources to connections with non-existent hosts. SYN cookies modify the TCP handshake sequence in such a way that the host initiating the connection (the caller) MUST receive a cookie from the called host, and _use_that_cookie_ to complete the so-called 3-way handshake. Resources are effectively not committed at the called host unless this occurs. Thus only legitimate (real) hosts may connect. This is all off the top of my head. I hope it makes sense. Cheers - Les Catterall