Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] is it possible to disable SYN flooding protection for port 80?
  • From: Peter Wiersig <wiersig@xxxxxxxxx>
  • Date: Mon, 21 Jan 2002 11:15:02 +0100
  • Message-id: <200201211010.LAA19225@xxxxxxxxxxxxx>
Am Montag, 21. Januar 2002 11:00 schrieb christian.burri@xxxxxxxxxx:

> don't worry about those log messages, it just means that there was
> a high amount of traffic (SYN's in particular) detected on port 80
> and that therefore the server will send out SYN cookies.
> (...)
> This was designed to prevent spoofed SYNs from exhausting
> all resources on your server machine (by leaving tons of half-open
> connections).
>
> I would recommend that you don't turn that off, but thats just my
> humble opinion.

If you have a really busy server, and your requests come from a busy proxy
(aol.com, t-online.de) your syn-flood protection could deny legitimate users.

But I agree with you that this setting is useful and should not be
deactivated if you don't have a loadbalancing cluster where the bottleneck is
the public host.

I would investigate further with tools like tcpdump and look if there are
only packets to port 80 with the syn-bit set. If the other system does not
try to fully establish the connection, the kernel does its best to prevent a
DoS attack.

I got messages from scandlogd that a ftp-server tries to port-scan me, and
the first time I was about to shutdown my machine, but it was myself who
activated the yast online update and the other server was responding very
fast and send me all needed files without large gaps.

If he tries to benchmark his system to see how many hits his webserver can
support, this setting is probably not needed, but I would do this benchmark
in a network not connected to other networks (esp. the internet) and switch
this setting of for the duration of the benchmark.

Peter

< Previous Next >
References