net.ipv4.tcp_syncookies = 1
With syncookies enabled, if we reach a point where there are more than 4096 incomplete connections
, this system will change how it responds to new connection requests. Instead of remembering all new connections
, it send out a coded response and completely forgets that the connection request came in at all. If the client actually
completes the connection request with the third ACK packet, the server can see the cokkie coming back and can then rebuild the connection
in memory. The remaining connection requests will never send this third ACK packet, so the server now has a way to hold legitimate conversations without
typing up huge amounts of memory and processor time handling the flood.
Tuesday, March 3, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment