On Tue, 06 Nov 2012, Robert Elz wrote:
Date: Mon, 5 Nov 2012 22:26:59 -0500 (EST) From: Mouse <mouse%Rodents-Montreal.ORG@localhost> Message-ID: <201211060326.WAA17541%Sparkle.Rodents-Montreal.ORG@localhost> | Except that it's not; it's no different from a server that crashes | immediately after sending _every_ SYN|ACK packet No, only the ones where the returning ACK is lost by the network. That is, it is the same as a server that crashes sometimes. That's every server...
If you have N% packet loss (for reasonable values of N), and if the losses are evenly distributed per packet, then SYN cookies amplify the problem from "N% of packets get lost but retransmission causes most TCP connections to work anyway" to "N% of TCP connections get into this stuck state".
I just tried "ping -c100 -i1 www.netbsd.org" twice, and got 3% ping loss once and 5% loss once. Since a successful ping requires two packets, the packet loss rate is somewhere around 1.5% to 2.5%. Such a packet loss rate is annoying, but if it were amplified to a 1.5% to 2.5% TCP connection failure rate then it would be much more annoying.
--apb (Alan Barrett)