If you are sure that your problem is caused by having a lot of slow dialup
customers then increasing the SYN backlog is fine.
However, if you are seeing a SYN flood then SYN cookies is stronly
recommended.
Note: One does not rule out the other. SYN cookies only come into action if
there is an abnormal amount of not yet acknowledged connections, and then
allows valid connections attempts even if the server is completely flooded
with bogous SYN attempts.
My recommendation is to start by increasing the SYN backlog to at least
4*number of active clients, and plan to recompile the kernel with support for
SYN cookies to ensure you have good protection from intentional or accidental
SYN floods.
Regards
Henrik
Hamid Hashemi Golpayegani wrote:
> Thanks henrik ,
>
> Yeah all of my clients are dial-up users and also I have checked the
> /proc/sys/net/ipv4 and there is no file named tcp_syncookies . May be I
> have not choose some feature when compiling the kernel . Is that
> sufficient to increase /proc/sys/net/ipv4/tcp_max_syn_backlog (
> currently 1024 ) and restart the squid or I should recompile the kernel
> and make tcp_syncookies available ?!
Received on Tue Jun 04 2002 - 07:23:00 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:26 MST