[pve-devel] pvefw: using ctmark to associacte connections to VMs
Dietmar Maurer
dietmar at proxmox.com
Mon Mar 3 17:28:44 CET 2014
> > > I don't known if we can setup a really high value by default ?
> >
> > no idea, sorry.
> >
> > > Also, it's seem that another option must be tune,
> > >
> > > /etc/modprobe.conf:
> > >
> > > options ip_conntrack hashsize=32768
> > >
> > >
> > > I need to read a little more about it
> >
> > Does that mean that everybody can start a DOS attack by simply
> > open(faking) 64000 tcp connections?
>
> http://tools.ietf.org/html/rfc4987
>
> So what can we do to prevent that?
Seems syncookies are off by default?
# cat /proc/sys/net/ipv4/tcp_syncookies
0
More information about the pve-devel
mailing list