Linux Syn cookies performance and memory

We have been playing around with Linux syn cookies to test out the performance and we have came to the following conclusions.

It’s always good to detect SYN floods and then turn on SYN cookies to better use the CPU power – so the SYN flood must be detected and sysctl SYN cookie value set to 1 in the real time. If you have Syn cookies turned on you server CPU and Network stack will be slightly affected, however, no RAM usage will increase in case of SYN flood. The kernel does not allocate the TCP buffers unless there is a positive reply to ACK/SYN packet.
So if you have a dual core box with 1GB RAM and good enough connectivity, you can leave Syn Cookies enabled without much of the performance loss, even if you get quite decent legitimate traffic.

Sysctl Syn cookie protection for Linux can be activated in real time, by:
sysctl -w net.ipv4.tcp_syncookies=1

You can also increase Syn backlog, to let’s say 1536:
sysctl -w net.ipv4.tcp_max_syn_backlog=1536

For FreeBSD you can tune TCP queue length by issuing:
sysctl -w kern.ipc.somaxconn=1024


Leave a Reply