On Thu, Nov 08, 2007 at 04:43:43PM +0100, Matthieu Huguet wrote:
>
> > Hoping this helps,
>
> Thanks, your comments help us a lot.
>
> Our major problem was the max_syn_backlog limit and ip conntrack.
> We first tried to increase the hashlimit and conntrack_max values.
> It worked... but it is much better without conntrack :)
:-)
> Instead of increasing the max_syn_backlog, what do you think about
> activating syncookies ?
I never tried, and honnestly, I don't see the benefit. The reason to increase the syn_backlog is not to protect against a DoS, but really to queue up enough connections while the process is doing something else.
If your site is regularly DoSed, then it may make sense to enable syn cookies, provided you have nothing stateful between the net and your LB. But generally attacks consist in performing real requests so that your components work for real. Sometimes the tarpit option can help if you can identify nasty requests (I developped it for a site which got a stupid DoS).
Regards,
Willy
Received on 2007/11/08 20:54
This archive was generated by hypermail 2.2.0 : 2007/11/08 21:30 CET