[EMAIL PROTECTED] (John Goerzen) wrote on 23.05.97 in <[EMAIL PROTECTED]>:
> Sven Rudolph <[EMAIL PROTECTED]> writes: > > > Christoph <[EMAIL PROTECTED]> writes: > > > > > On 21 May 1997, John Goerzen wrote: > > > > > > > Since we know of a number of things that have been broken in 2.0.30 > > > > (such as IP masquerading being totally hosed), why are we distributing > > > > that version with 1.3? > > > > 2.0.30 has SYN_COOKIES. This is a critical feature. > > Agreed. However: > > * Those people that need SYN flood protection will know they need it > and will know how to compile their own kernel. (There are few > people that really need this desperately, in my estimation.) Why will they know they need it? A successful SYN attack just makes a machine deaf to the network. It usually gives NO indication what went wrong, except to somebody able to read traceroute output. Why will they know how to compile their own kernels? What sort of magic guarantees that kernel-handling-challenged people won't be attacked that way? > * The people that will suffer due to broken networking, etc. will not > necessarily know what the problem is, what to do about it, etc. On the other hand, people suffering from this problem should have a _much_ better chance of finding out what went wrong. > We could even include a README telling people that need SYN protection > how to get it. I'm sorely tempted to say that there can be no excuse to ship a kernel without SYN protection these days. Oh, I give in. There really is no excuse. MfG Kai -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
