New subject: [suse-security] is it possible to disable SYN flooding protection for port 80?

21 Jan 2002

      Hi Kai,

don't worry about those log messages, it just means that there was
a high amount of traffic (SYN's in particular) detected on port 80
and that therefore the server will send out SYN cookies.

SYN cookies are a small amount of data that your server includes
 in its answers to SYN packets, and that the foreign system(s)
will have to include in theyr response again (3way Handshake,
someone please correct me if I'm wrong here).

This was designed to prevent spoofed SYNs from exhausting
all resources on your server machine (by leaving tons of half-open
connections).

I would recommend that you don't turn that off, but thats just my
humble opinion.

hope this helps
Chris Burri

    .-.
    /v\    L   I   N   U   X
   // \\   >I know KungFu!!<
  /(   )\
   ^^-^^

|--------+----------------------->
|        |          "Kai-H.      |
|        |          Weutzing"    |
|        |                   |
|        |                       |
|        |          20.01.2002   |
|        |          15:42        |
|        |                       |
|--------+----------------------->
...
----------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                        |
  |       An:                                                                                                      |
  |       Kopie:                                                                                                                           |
  |       Thema:  [suse-security] is it possible to disable SYN flooding protection for port 80?                                           |
----------------------------------------------------------------------------------------------------------------------------------------|
Hi,

my webserver reports sometimes a

Jan 20 14:02:11 xxxxxxxx kernel: possible SYN flooding on port 80. Sending
cookies.
Jan 20 14:02:11 xxxxxxxx kernel: klogd 1.3-3, ---------- state
change ----------
Jan 20 14:02:11 xxxxxxxx kernel: Inspecting /boot/System.map-2.2.18
Jan 20 14:02:11 xxxxxxxx kernel: Loaded 10080 symbols from
/boot/System.map-2.2.18.
Jan 20 14:02:11 xxxxxxxx kernel: Symbols match kernel version 2.2.18.
Jan 20 14:02:11 xxxxxxxx kernel: Loaded 258 symbols from 2 modules.

So I think its no attack than a high traffic on my webserver. So what can I
do? Is it possible to disable the SYN flood protection for port 80 (I
didn't
like to it) or can I modify the detection parameters of this protection
routine? (I didn't like to read the kernel sources and re-compile it :-)

Thx a lot... Kai

EOT

--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com

RE: [suse-security] is it possible to disable SYN flooding protection for port 80?

christian.burri＠synecta.ch

Peter Wiersig

tags

participants (2)