Kernel Bug Tracker – Bug 25322
[PATCH] tcp syn cookies will not eat your server anymore
Last modified: 2012-08-14 15:00:31 UTC
Based on a discussion on net-dev (http://article.gmane.org/gmane.linux.network.general/14344),
TCP syncookies seem to not be disastrous for performance anymore. Theses
improvements happened in 2.6.36, 2.6.33 and 2.6.26.
More info in theses commits:
- 4dfc28170 Add support for TCP options via timestamps.
- c6aefafb7 Add IPv6 support to TCP SYN cookies
- 172d69e63 syncookies: add support for ECN
What would you think about the following patch about the tcp_syn_cookie entry?
diff --git a/man7/tcp.7 b/man7/tcp.7
index 3903c9d..e42bdef 100644
@@ -677,11 +677,10 @@ The kernel must be compiled with
Send out syncookies when the syn backlog queue of a socket overflows.
The syncookies feature attempts to protect a
socket from a SYN flood attack.
-This should be used as a last resort, if at all.
-This is a violation of the TCP protocol,
-and conflicts with other areas of TCP such as TCP extensions.
-It can cause problems for clients and relays.
-It is not recommended as a tuning mechanism for heavily
+Until 2.6.36, it was violating TCP and has to be used as a last
+resort, if at all. Since 2.6.36, TCP extensions are preserved and the
+impact on performance is minimal.
+It is still not recommended as a tuning mechanism for heavily
loaded servers to help with overloaded or misconfigured conditions.
For recommended alternatives see
.IR tcp_max_syn_backlog ,
By the way, there is no information about tcp_cookie_size, the TCP Cookie Transaction sysctl (this new TCP extension was introduced in 2.6.33), do you want a patch?
Please don't send patches via bugzilla - it causes lots of problems with
our usual patch management and review processes.
Please send this patch via email as per Documentation/SubmittingPatches.
Suitable recipients may be found via scripts/get_maintainer.pl.