tl;dr: They backported an existing kernel feature (per-cpu syn cookie generation) to 3.x using iptables (rather than just maintaining a patchset) because they didn't want to run a current kernel or maintain a fork.
I am curious how effective this is at larger synfloods. Obviously when something hits near 1gbps, its game over for any server as that floods the uplink (assuming a standard 1gbps hookup)<p>How many mb/s or pps can this handle on a average server while still having the server be able to respond to legitimate requests? ( lets say a average server is a quad core, 3.5ghz , 8gb ram)
Why don't you guys just run the most modern stable Kernel as opposed to 3.X?<p>You say: While Linux 4.x has a patch to send SYN cookies under a per-CPU-core socket lock, which does fix the problem, we wanted a solution that allowed us to use an existing, maintained kernel with upstream security patches. We didn’t want to roll and maintain an entire custom kernel and all related future security patches just to mitigate this form of attack. Patching Linux 3.x to backport the socket lock change was also a similar maintenance burden we wanted to avoid.<p>But, if this is the case, what's wrong with using Linux's LTS kernel, or the stable current kernel? The kernel.org team does a great job maintaining these. Which upstream vendor are you relying on?<p>Depending on your workload, and your kernel version, there are some fairly large performance improvements. These performance improvements in my testing primarily land in networking and I/O -- effecting many applications.<p>I think your work is awesome. I just think backporting, and not installing linux-image-generic might be a lot work for not much benefit. I'd love to hear your reasoning that leads you to believe that's a better option for security or stability compared to using the trusty kernel.<p>Also, typo: `causese all` -> `causes all`.
So instead of using a SYN attack, attackers can just run a full-open tcp attack. Not as effective if all you have is one or two servers with big pipes, but a botnet should make it feasible.