.png)
Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common "syn flood attack". Disabled (0) by default.
:--:cat /proc/sys/net/ipv4/tcp_syncookies
0
:--:
added from linux kernel source.
/*
160 * Generate a syncookie. mssp points to the mss, which is returned
161 * rounded down to the value encoded in the cookie.
162 */
163 __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
164 {
165 const struct iphdr *iph = ip_hdr(skb);
166 const struct tcphdr *th = tcp_hdr(skb);
167 int mssind;
168 const __u16 mss = *mssp;
169
170 tcp_synq_overflow(sk);
171
172 /* XXX sort msstab[] by probability? Binary search? */
173 for (mssind = 0; mss > msstab[mssind + 1]; mssind++)
174 ;
175 *mssp = msstab[mssind] + 1;
176
177 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESSENT);
178
179 return secure_tcp_syn_cookie(iph->saddr, iph->daddr,
180 th->source, th->dest, ntohl(th->seq),
181 jiffies / (HZ * 60), mssind);
182 }