ddos: set net.ipv4.tcp_syncookies to 1

set tcp_syncookies to 1 alone with iptables SYNPROXY module reduce latency, this improves situation when XDP acceleration is not enabled and just let iptables SYNPROXY handles SYN flood attack, see [0] [0]: https://bugzilla.kernel.org/show_bug.cgi?id=219500 Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
2026-04-09 18:45:54 +02:00 · 2024-11-14 18:30:29 +00:00
parent eac34c4210
commit 92324f8cbd
1 changed files with 1 additions and 1 deletions
--- a/src/initscripts/system/ddos
+++ b/src/initscripts/system/ddos
@@ -53,7 +53,7 @@ get_ports () {
 }

 load_syncookie () {
-	sysctl -w net.ipv4.tcp_syncookies=2
+	sysctl -w net.ipv4.tcp_syncookies=1
 	sysctl -w net.ipv4.tcp_timestamps=1
 	sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
 	/usr/sbin/xdp-loader status red0 | grep 'syncookie_xdp'