tcp tuning tcp_syncookies

tcp_syncookies.
Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common “syn flood attack”. Disabled (0) by default.

:--:cat /proc/sys/net/ipv4/tcp_syncookies
0
:--:
added from linux kernel source.
/*
160  * Generate a syncookie.  mssp points to the mss, which is returned
161  * rounded down to the value encoded in the cookie.
162  */
163 __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
164 {
1100         const struct iphdr *iph = ip_hdr(skb);
166         const struct tcphdr *th = tcp_hdr(skb);
167         int mssind;
168         const __u16 mss = *mssp;
169
170         tcp_synq_overflow(sk);
171
172         /* XXX sort msstab[] by probability?  Binary search? */
173         for (mssind = 0; mss > msstab[mssind + 1]; mssind++)
174                 ;
175         *mssp = msstab[mssind] + 1;
176
177         NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESSENT);
178
179         return secure_tcp_syn_cookie(iph->saddr, iph->daddr,
180                                      th->source, th->dest, ntohl(th->seq),
181                                      jiffies / (HZ * 60), mssind);
182 }