Comments on: TCP SYN Cookies — DDoS Defence http://etherealmind.com/tcp-syn-cookies-ddos-defence/ Network design, architecture, thinking, working. Tech. Fri, 19 Mar 2010 13:25:26 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Greg Ferro http://etherealmind.com/tcp-syn-cookies-ddos-defence/comment-page-1/#comment-4669 Greg Ferro Wed, 10 Feb 2010 07:20:59 +0000 http://etherealmind.com/?p=618#comment-4669 The loads they discuss here aren't really significant. Typically, I'm designing for archictectures that have around 500K to 1 million concurrent HTTP session. Syn cookies are not implemented on the servers since the code complexity reduces system reliability and are handled at the network layer. Also, Linux sysadmins don't typically have networking skills that comprehend TCP SYN floods. That said, it's usually the network person securing against a SYN Flood and not the server team. Therefore handling SYN floods at the network is far more common. YMMV. Note: At loads of 1 million concurrent sessions, you wouldn't be using an IOS router but dedicated device. The loads they discuss here aren’t really significant. Typically, I’m designing for archictectures that have around 500K to 1 million concurrent HTTP session. Syn cookies are not implemented on the servers since the code complexity reduces system reliability and are handled at the network layer. Also, Linux sysadmins don’t typically have networking skills that comprehend TCP SYN floods.

That said, it’s usually the network person securing against a SYN Flood and not the server team. Therefore handling SYN floods at the network is far more common. YMMV.

Note: At loads of 1 million concurrent sessions, you wouldn’t be using an IOS router but dedicated device.

]]> By: Thomas Jones http://etherealmind.com/tcp-syn-cookies-ddos-defence/comment-page-1/#comment-4668 Thomas Jones Wed, 10 Feb 2010 02:02:11 +0000 http://etherealmind.com/?p=618#comment-4668 see here: http://lwn.net/Articles/277146/ Syncookies take a system from serving nothing (due to syn flood) to almost as much as it does under no flood. Also syn cookies impose no extra cost unless the system is actually under attack or very heavy load (ie it would have just dropped the connection) see here:

http://lwn.net/Articles/277146/

Syncookies take a system from serving nothing (due to syn flood) to almost as much as it does under no flood.

Also syn cookies impose no extra cost unless the system is actually under attack or very heavy load (ie it would have just dropped the connection)

]]> By: Thomas Jones http://etherealmind.com/tcp-syn-cookies-ddos-defence/comment-page-1/#comment-4667 Thomas Jones Wed, 10 Feb 2010 01:59:36 +0000 http://etherealmind.com/?p=618#comment-4667 What's this about syn cookies being too computationally expensive? That's just rubbish What’s this about syn cookies being too computationally expensive? That’s just rubbish

]]> By: TCP: drop open request from .. | Mats Lindh http://etherealmind.com/tcp-syn-cookies-ddos-defence/comment-page-1/#comment-4496 TCP: drop open request from .. | Mats Lindh Fri, 08 Jan 2010 10:03:15 +0000 http://etherealmind.com/?p=618#comment-4496 [...] turning on TCP SYN Cookies while the attack is taking place is probably the best idea (as enabling TCP SYN Cookies will disable most high performance TCP options, you’ll want to disable it after the attack has subsided [...] […] turning on TCP SYN Cookies while the attack is taking place is probably the best idea (as enabling TCP SYN Cookies will disable most high performance TCP options, you’ll want to disable it after the attack has subsided […]

]]> By: Arturo Servin http://etherealmind.com/tcp-syn-cookies-ddos-defence/comment-page-1/#comment-1426 Arturo Servin Fri, 12 Sep 2008 12:43:28 +0000 http://etherealmind.com/?p=618#comment-1426 Excellent post and very good references. I am doing my research on DoS and DDoS and this will be very helpful. Thanks, -as Excellent post and very good references. I am doing my research on DoS and DDoS and this will be very helpful.

Thanks,
–as

]]>