As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP) SYN cookies. A TCP SYN flood attack might cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. SYN cookies are used so as not to track a connection until a subsequent ACK is received, verifying that the initiator is attempting a valid connection and is not a flood source.

This technique does not operate in a fully standards-compliant manner, but is only activated when a flood condition is detected, and allows defense of the system while continuing to service valid requests.

Procedure

  1. Run the # cat /proc/sys/net/ipv4/tcp_syncookies command to verify whether the host system uses IPv4 TCP SYN cookies.
  2. Configure the host system to use IPv4 TCP SYN cookies.
    1. Open the /etc/sysctl.conf to configure the host system.
    2. If the value is not set to 1, add the following entry to the file or update the existing entry accordingly. Set the value to 1. 
      net.ipv4.tcp_syncookies=1
    3. Save the changes and close the file.
    4. Run # sysctl -p to apply the configuration.