From: "Massimo S." <ecs-isp@2rosenthals.com>
Received: from [192.168.100.201] (HELO mail.2rosenthals.com)
  by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10)
  with ESMTP id 640101 for ecs-isp@2rosenthals.com; Wed, 04 Feb 2026 07:39:09 -0500
Received: from [192.168.200.201] (port=60911 helo=mail2.2rosenthals.com)
	by mail.2rosenthals.com with esmtp (Exim 4.98.2)
	(envelope-from <ml@ecomstation.it>)
	id 1vnc9s-000000008P6-1Xo9
	for ecs-isp@2rosenthals.com;
	Wed, 04 Feb 2026 07:39:02 -0500
Received: from mail2.quasarbbs.net ([80.86.52.115]:10171)
	by mail2.2rosenthals.com with esmtp (Exim 4.98.2)
	(envelope-from <ml@ecomstation.it>)
	id 1vnc9o-000000005WU-0xZh
	for ecs-isp@2rosenthals.com;
	Wed, 04 Feb 2026 07:38:57 -0500
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_1000_LESS 0.000000,
	BODY_SIZE_2000_LESS 0.000000, BODY_SIZE_5000_LESS 0.000000,
	BODY_SIZE_600_699 0.000000, BODY_SIZE_7000_LESS 0.000000, CTE_7BIT 0.000000,
	DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000, HTML_00_01 0.050000,
	HTML_00_10 0.050000, MSGID_SAMEAS_FROM_HEX_844412 0.100000,
	NO_CTA_URI_FOUND 0.000000, NO_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000,
	REPLYTO_SAMEAS_FROM 0.000000, SENDER_NO_AUTH 0.000000, USER_AGENT 0.000000,
	__BODY_NO_MAILTO 0.000000, __CP_MEDIA_BODY 0.000000, __CT 0.000000,
	__CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DKIM_ALIGNS_1 0.000000,
	__DKIM_ALIGNS_2 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000,
	__FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000,
	__FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000,
	__MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000,
	__MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000,
	__NO_HTML_TAG_RAW 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000,
	__REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000,
	__SANE_MSGID 0.000000, __SL_HEAVY 0.000000, __SUBJ_ALPHA_END 0.000000,
	__TO_MALFORMED_2 0.000000, __TO_NAME 0.000000,
	__TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000,
	__URI_NO_MAILTO 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 8%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2026.2.4.115719
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_1000_LESS 0.000000,
	BODY_SIZE_2000_LESS 0.000000, BODY_SIZE_5000_LESS 0.000000,
	BODY_SIZE_600_699 0.000000, BODY_SIZE_7000_LESS 0.000000, CTE_7BIT 0.000000,
	DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000, HTML_00_01 0.050000,
	HTML_00_10 0.050000, MSGID_SAMEAS_FROM_HEX_844412 0.100000,
	NO_CTA_URI_FOUND 0.000000, NO_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000,
	REPLYTO_SAMEAS_FROM 0.000000, USER_AGENT 0.000000, __AUTH_RES_PASS 0.000000,
	__BODY_NO_MAILTO 0.000000, __CP_MEDIA_BODY 0.000000, __CT 0.000000,
	__CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DKIM_ALIGNS_1 0.000000,
	__DKIM_ALIGNS_2 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000,
	__FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000,
	__FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000,
	__MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000,
	__MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000,
	__NO_HTML_TAG_RAW 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000,
	__REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000,
	__SANE_MSGID 0.000000, __SL_HEAVY 0.000000, __SUBJ_ALPHA_END 0.000000,
	__TO_MALFORMED_2 0.000000, __TO_NAME 0.000000,
	__TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000,
	__URI_NO_MAILTO 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 8%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2026.2.4.122719
DKIM-Signature: v=1; q=dns/txt; a=rsa-sha256; c=relaxed/relaxed; s=default;
 d=ecomstation.it;
 bh=hbSZFh/rWsjaxiFDSfKpJolCCc0kncDpAye1PLyZEpQ=;
 h=Return-Path:From:To:Subject:Date:Message-ID;
 b=dY47Gmd/bc9gXDe4+GW/3sIl6SSEOK7KrnlhQfIX8DeeaIiI7bfFckvpT5FXJ81/HgDPS
 iD1bvRmvGGIuuU4y+JisdlY6V7MqjFAm8WbBOoaEyJGall3TyOY5BIGvo8KKSCsDS25S5ZJ
 5zON40hGPGUV94oSd6eODBCnnKuwcrVt13zSh0kadoTiU27mOq6GjODr4LtKABGgwjDn3tF
 4dWZFXoQpTFOfkUMt0pAAH9TknBQESEE+2AMt8g07fq1syruqsRL1mM8wOms0YNM8Ct27/A
 AKIcxEto/WqoNonpnecNwJbfExKMLIajUztBcUAH9o/MJqoq29aMWOjQITuQ==
Received: from [192.168.10.199] (dtp [192.168.10.199]) by srv2 (Weasel v3.098)
  for <ecs-isp@2rosenthals.com>; Wed, 04 Feb 2026 13:38:50 -0000
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
Reply-To: ml@ecomstation.it
Subject: DDOS attacks and tcp/ip SYNCOOKIE flag
Organization: Massimo S.
Message-ID: <33a139a3-8458-9c6b-14c5-c72149ee6c6b@ecomstation.it>
Date: Wed, 4 Feb 2026 13:38:48 +0100
User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424
 Thunderbird/1.0.8 Mnenhy/0.7.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15; format=flowed
Content-Language: it
Content-Transfer-Encoding: 7bit

Hi all,

to mitigate the effects of DDOS attacks (eg. the ones on port 80 and 443) it is
suggested to turn ON syncookie tcp/ip flag.

But i've realized that on eCS and AOS this parameter give a number of issues.

Clients start calling that images on websites do not load correctly or take
a lot of time to render/complete.

While i've also seen that turning ON this flag increase the instability
of the web server VM at the point that the entire OS can completely freeze
(this on eCS and AOS too).

The flag SYNATTACK seems to work properly instead, but SYNCOOKIE i guess
it's very bugged.


massimo