[Courses] [security] tcp_syncookies

Fri Apr 12 17:15:32 EST 2002

At 4/12/02 04:39 PM , Hamster wrote:
>They say a little knowledge is a dangerous thing...

No shit. I just found out how little knowledge I actually have. (Read on.)

>The one I am thinking of is the SYN-flood attack. So you, I discovered 
>/proc/sys/net/ipv4/tcp_syncookies. :)

Oddly enough, I was recently subjected to a SYN flood attack. (At least, I 
think that's what it was. CPU load minimal, but all Net response sluggish 
as a heroin-drowsed snail. Pings to my DSL provider came back in roughly 
200-5000 ms, with data errors. netstat showed lots of connections from one 
IP, all in state SYN_RECV. If that's not what a SYN flood attack looks 
like, I'd like to know what the heck it *was*.)

So, reading your message, I just did this:

    root at surehand root# cat /proc/sys/net/ipv4/tcp_syncookies
    0
    root at surehand root#

D'oh!

>Now before I go happily "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" -ing, 
>are there any implications I should know about that makes this not such a 
>good idea?

I'd love the answer to that one, too. Is there any reason in the world for 
me to have that turned off (especially given that the skript kiddie who 
apparently "0wnZ0r"s adsl-66-120-84-178.dsl.snfc21.pacbell.net could decide 
to make my life annoying again at any time)? And, will simply echoing 1 
into that file do anything, or do I need to do some other stuff as well? 
(My kernel is a Slackware 2.4.5 kernel, so far unpatched.)

                                                 --Kai MacTane
----------------------------------------------------------------------
"Why can't I live a life for me?
  Why should I take the abuse that's served?
  Why can't they see they're just like me?
  I'm not the one that's so absurd!"
                                                 --Ministry,
                                                  "Every Day is
                                                   Halloween"