Comment 4 for bug 57091
Revision history for this message
| enyc (enyc) wrote Updates on this matter/bug 57091... | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Firstly...
You do not need to start a 'server program' as-such to get a listening port. Using bittorrent client or 'ftp' will easily create listening ports, making the system vulnerable to SYN-flood-DoS on those tcp-sockets. I.e. users can be easily 'vulnerable' without having to set up a service as-such.
Iptables does not directly solve the problem of SYN DoS.... Note that the DoS can/does happen using forged-source IP addresses and hence blocking 'source addresses' w/ iptables can only seek to mitigate the issue but not prevent it.
I believe that firemalls are a separate consideration really....
This is a TCP configuration parameter that permits/denies the use of a syncookies defense under SYN-flood-attack scenarios.
This is a 'TCP stack vulnerable to resource-exhaustion DoS by configuration/
I think I see this "issue" in a different way Jeremy Vies.
The way I see this, there is no reason to disallow the use of SYNcookies when under SYN DoS. I understand the TCP stack in linux continues to answer TCP SYN w/ options etc. in the same way as without syncookies=1 until SYN queue is full -- i.e. no difference except when under DoS.
*** Any facts / details to confirm or contradict anything stated above would be appreciated ;-) ***