Navigation: Linux Kernel Driver DataBase - web LKDDB: Main index - S index

CONFIG_SYN_COOKIES: IP: TCP syncookie support

General informations

The Linux kernel configuration item CONFIG_SYN_COOKIES has multiple definitions:

IP: TCP syncookie support (disabled per default) found in net/ipv4/Kconfig

The configuration item CONFIG_SYN_COOKIES:

Help text

Normal TCP/IP networking is open to an attack known as "SYN flooding". This denial-of-service attack prevents legitimate remote users from being able to connect to your computer during an ongoing attack and requires very little work from the attacker, who can operate from anywhere on the Internet.

SYN cookies provide protection against this type of attack. If you say Y here, the TCP/IP stack will use a cryptographic challenge protocol known as "SYN cookies" to enable legitimate users to continue to connect, even when your machine is under attack. There is no need for the legitimate users to change their TCP/IP software; SYN cookies work transparently to them. For technical information about SYN cookies, check out http://cr.yp.to/syncookies.html.

If you are SYN flooded, the source address reported by the kernel is likely to have been forged by the attacker; it is only reported as an aid in tracing the packets to their actual source and should not be taken as absolute truth.

SYN cookies may prevent correct error reporting on clients when the server is really overloaded. If this happens frequently better turn them off.

If you say Y here, note that SYN cookies aren't enabled by default; you can enable them by saying Y to "/proc file system support" and "Sysctl support" below and executing the command

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

at boot time after the /proc file system has been mounted.

If unsure, say N.

IP: TCP syncookie support found in net/ipv4/Kconfig

The configuration item CONFIG_SYN_COOKIES:

Help text

Normal TCP/IP networking is open to an attack known as "SYN flooding". This denial-of-service attack prevents legitimate remote users from being able to connect to your computer during an ongoing attack and requires very little work from the attacker, who can operate from anywhere on the Internet.

SYN cookies provide protection against this type of attack. If you say Y here, the TCP/IP stack will use a cryptographic challenge protocol known as "SYN cookies" to enable legitimate users to continue to connect, even when your machine is under attack. There is no need for the legitimate users to change their TCP/IP software; SYN cookies work transparently to them. For technical information about SYN cookies, check out http://cr.yp.to/syncookies.html.

If you are SYN flooded, the source address reported by the kernel is likely to have been forged by the attacker; it is only reported as an aid in tracing the packets to their actual source and should not be taken as absolute truth.

SYN cookies may prevent correct error reporting on clients when the server is really overloaded. If this happens frequently better turn them off.

If you say Y here, you can disable SYN cookies at run time by saying Y to "/proc file system support" and "Sysctl support" below and executing the command

echo 0 > /proc/sys/net/ipv4/tcp_syncookies

after the /proc file system has been mounted.

If unsure, say N.

Hardware

LKDDb

Raw data from LKDDb:

Sources

This page is automaticly generated with free (libre, open) software lkddb(see lkddb-sources).

The data is retrived from:

Automatic links from Google (and ads)

Custom Search

Popular queries:

Navigation: Linux Kernel Driver DataBase - web LKDDB: main index - S index

Automatically generated (in year 2014) with gen-web-lkddb.py in lkddb-sources.