IP: TCP syncookie support (disabled per default)
modulename: syncookies.ko
configname: CONFIG_SYN_COOKIES
Linux Kernel Configuration
└─>Networking
└─>Networking options
└─>IP: TCP syncookie support (disabled per default)
In linux kernel since version 2.6.12
Normal TCP/IP networking is open to an attack known as "SYN
flooding". This denial-of-service attack prevents legitimate remote
users from being able to connect to your computer during an ongoing
attack and requires very little work from the attacker, who can
operate from anywhere on the Internet.
SYN cookies provide protection against this type of attack. If you
say Y here, the TCP/IP stack will use a cryptographic challenge
protocol known as "SYN cookies" to enable legitimate users to
continue to connect, even when your machine is under attack. There
is no need for the legitimate users to change their TCP/IP software;
SYN cookies work transparently to them. For technical information
about SYN cookies, check out <http://cr.yp.to/syncookies.html>.
If you are SYN flooded, the source address reported by the kernel is
likely to have been forged by the attacker; it is only reported as
an aid in tracing the packets to their actual source and should not
be taken as absolute truth.
SYN cookies may prevent correct error reporting on clients when the
server is really overloaded. If this happens frequently better turn
them off.
If you say Y here, note that SYN cookies aren't enabled by default;
you can enable them by saying Y to "/proc file system support" and
"Sysctl support" below and executing the command
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
at boot time after the /proc file system has been mounted.
If unsure, say N.
flooding". This denial-of-service attack prevents legitimate remote
users from being able to connect to your computer during an ongoing
attack and requires very little work from the attacker, who can
operate from anywhere on the Internet.
SYN cookies provide protection against this type of attack. If you
say Y here, the TCP/IP stack will use a cryptographic challenge
protocol known as "SYN cookies" to enable legitimate users to
continue to connect, even when your machine is under attack. There
is no need for the legitimate users to change their TCP/IP software;
SYN cookies work transparently to them. For technical information
about SYN cookies, check out <http://cr.yp.to/syncookies.html>.
If you are SYN flooded, the source address reported by the kernel is
likely to have been forged by the attacker; it is only reported as
an aid in tracing the packets to their actual source and should not
be taken as absolute truth.
SYN cookies may prevent correct error reporting on clients when the
server is really overloaded. If this happens frequently better turn
them off.
If you say Y here, note that SYN cookies aren't enabled by default;
you can enable them by saying Y to "/proc file system support" and
"Sysctl support" below and executing the command
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
at boot time after the /proc file system has been mounted.
If unsure, say N.