Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common "syn flood attack". Disabled (0) by default.

Note, that syncookies is fallback facility. It must not be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

syncookies seriously violate TCP protocol, do not allow to use TCP extensions, can result in serious degradation of some services (for example SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see synflood warnings in logs not being really flooded, your server is seriously misconfigured.


To: p.herz@xxxxxxxxxxxx
Subject: Re: TCP_SYNCOOKIES - Negative impact(s) when enabled?
From: Pascal Hambourg
Date: Tue, 16 Nov 2010 13:14:26 +0100
Cc: linux-net@xxxxxxxxxxxxxxx
In-reply-to: <4CE24508.4080201@xxxxxxxxxxxx>
Organization: Plouf !
User-agent: Thunderbird (Windows/20090302)
Philipp Herz - Profihost AG a écrit :
> Since what kernel version this should be fixed? Is it affected to IPv4
> and IPv6 or only IPv4?

=== ChangeLog-2.6.26 ===

commit 4dfc2817025965a2fc78a18c50f540736a6b5c24
Author: Florian Westphal
Date: Thu Apr 10 03:12:40 2008 -0700

[Syncookies]: Add support for TCP options via timestamps.

Allow the use of SACK and window scaling when syncookies are used
and the client supports tcp timestamps. Options are encoded into
the timestamp sent in the syn-ack and restored from the timestamp
echo when the ack is received.

(side note : the feature was broken in 2.6.27 and restored in 2.6.28)

commit c6aefafb7ec620911d46174eed514f9df639e5a4
Author: Glenn Griffin
Date: Thu Feb 7 21:49:26 2008 -0800

[TCP]: Add IPv6 support to TCP SYN cookies

=== ChangeLog-2.6.33 ===

commit e994b7c901ded7200b525a707c6da71f2cf6d4bb
Author: David S. Miller
Date: Sat Nov 21 11:22:25 2009 -0800

tcp: Don't make syn cookies initial setting depend on CONFIG_SYSCTL

That's extremely non-intuitive, noticed by William Allen Simpson.

And let's make the default be on, it's been suggested by a lot of
people so we'll give it a try.

=== ChangeLog-2.6.36 ===

commit 172d69e63c7f1e8300d0e1c1bbd8eb0f630faa15
Author: Florian Westphal
Date: Mon Jun 21 11:48:45 2010 +0000

syncookies: add support for ECN

Allows use of ECN when syncookies are in effect by encoding ecn_ok
into the syn-ack tcp timestamp.
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at