1

We are looking at tuning our linux tcp stack on one of our lan boxes.

We were wondering if it is ok / advisable to disable SYN cookies on a server that doesnt have any sort of external (eg: "internet") access.

Is it ok to disable syn cookies on a LAN only server via net.ipv4.tcp_syncookies?

anonymous-one
  • 1,018
  • 7
  • 27
  • 43

2 Answers2

4

SYN cookies are disabled by default. That should be a reasonable indication of what you should be doing, absent specific knowledge to the contrary. More specifically, tcp(7) says:

The syncookies feature attempts to protect a socket from a SYN flood attack. This should be used as a last resort, if at all. This is a violation of the TCP protocol, and conflicts with other areas of TCP such as TCP extensions. It can cause problems for clients and relays. It is not recommended as a tuning mechanism for heavily loaded servers to help with overloaded or misconfigured conditions.

womble
  • 96,255
  • 29
  • 175
  • 230
  • 1
    many linux distributions, including centos which we are using, default to net.ipv4.tcp_syncookies=1 via /etc/sysctl.conf. default as in, on fresh install net.ipv4.tcp_syncookies=1 exists in /etc/sysctl.conf. – anonymous-one Jun 26 '12 at 08:59
  • So your distro overrides the default. That doesn't change the fact that it *is* the default in the Linux kernel. – womble Jun 26 '12 at 09:15
  • Syncookies are enabled by default to prevent system crash in case of excessive syn requests, if you are expecting a very high rate of connections for e.g. test machine then you can disable it no problem via sysctl – Andrew Smith Jun 26 '12 at 11:16
  • @AndrewSmith: You can't crash a Linux server with a SYN flood. You can only starve the server from being able to accept legitimate TCP connection requests. – womble Jun 26 '12 at 11:20
1

I am not sure if you are doing it the right way.

If you have some need or some problems (then say it :) then tweak the tcp stack otherwise leave it as it is. Why would you disable syncookies what is the benefit you are expecting?

cstamas
  • 6,707
  • 25
  • 42