As a security best practice, verify that the host system uses IPv4 Transmission Control Protocol (TCP) Syncookies. A TCP SYN flood attack might cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are used so as not to track a connection until a subsequent ACK is received, verifying that the initiator is attempting a valid connection and is not a flood source.

About this task

This technique does not operate in a fully standards-compliant manner, but is only activated when a flood condition is detected, and allows defence of the system while continuing to service valid requests.

Procedure

  1. Run the # cat /proc/sys/net/ipv4/tcp_syncookies command to verify whether the host system uses IPv4 TCP Syncookies.
  2. Configure the host system to use IPv4 TCP syncookies.
    1. Open the /etc/sysctl.conf to configure the host system.
    2. If the value is not set to 1, add the following entry to the file or update the existing entry accordingly. Set the value to 1.
      net.ipv4.tcp_syncookies=1 
    3. Save the changes and close the file.