Comment 2 for bug 57091
Revision history for this message
| enyc (enyc) wrote Re: [Bug 57091] Re: proc/sys/net/ipv4/tcp_syncookies=1 should be seriously considered to permit SYN flood defense... | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
On Mon, 21 Aug 2006, Jeremy Vies wrote:
> I think "tcp_syncookies" is considered as part of the FW mechanism of the kernel.
> As Dapper (and previous releases) does not provide any FW out of the box, it is normal that tcp_syncookies are not activated by default.
> Your bug repport should be put as a wish for next release, and maybe linked to bug about the "missing FW" in Ubuntu.
Urrm... Well a firewall addon is another matter...
That is for blocking ports and particular hosts and soforth.....
Ubuntu (sensibly) starts with no 'open ports' (except on 127.0.0.1)
unless you add a service or install a LAMP server...
It doesnt need a firewall for a lot of cases -- firewall just adds
needless extra complexity.... Just dont start services you dont
want. Only need to add a firewall if you want to control access
of particular IP addresses and soforth...
But w/o syncookies your VNC or SSH or Samba-shares or whatever can
be trivially DoSed from low-bandwidth-
silly really. I understand they dont actually change anything
about TCP behaviour until there are too many SYN_RECVD entries,
at which point the syncookies 'kick in' permitting access to
your TCP servers which under continuing SYN flood....
--enyc <email address hidden>