Dmitry Teselkin | af730f9 | 2018-08-16 11:29:55 +0300 | [diff] [blame] | 1 | # 3.2.8 Ensure TCP SYN Cookies is enabled |
| 2 | # |
| 3 | # Description |
| 4 | # =========== |
| 5 | # When tcp_syncookies is set, the kernel will handle TCP SYN packets normally |
| 6 | # until the half-open connection queue is full, at which time, the SYN cookie |
| 7 | # functionality kicks in. SYN cookies work by not using the SYN queue at all. |
| 8 | # Instead, the kernel simply replies to the SYN with a SYN|ACK, but will |
| 9 | # include a specially crafted TCP sequence number that encodes the source and |
| 10 | # destination IP address and port number and the time the packet was sent. |
| 11 | # A legitimate connection would send the ACK packet of the three way handshake |
| 12 | # with the specially crafted sequence number. This allows the system to verify |
| 13 | # that it has received a valid response to a SYN cookie and allow the |
| 14 | # connection, even though there is no corresponding SYN in the queue. |
| 15 | # |
| 16 | # Rationale |
| 17 | # ========= |
| 18 | # Attackers use SYN flood attacks to perform a denial of service attacked on a |
| 19 | # system by sending many SYN packets without completing the three way handshake. |
| 20 | # This will quickly use up slots in the kernel's half-open connection queue and |
| 21 | # prevent legitimate connections from succeeding. SYN cookies allow the system |
| 22 | # to keep accepting valid connections, even if under a denial of service attack. |
| 23 | # |
| 24 | # Audit |
| 25 | # ===== |
| 26 | # |
| 27 | # Run the following commands and verify output matches: |
| 28 | # |
| 29 | # # sysctl net.ipv4.tcp_syncookies |
| 30 | # net.ipv4.tcp_syncookies = 1 |
| 31 | # |
| 32 | # Remediation |
| 33 | # =========== |
| 34 | # |
| 35 | # Set the following parameter in the /etc/sysctl.conf file: |
| 36 | # |
| 37 | # net.ipv4.tcp_syncookies = 1 |
| 38 | # |
| 39 | # Run the following commands to set the active kernel parameters: |
| 40 | # |
| 41 | # # sysctl -w net.ipv4.tcp_syncookies=1 |
| 42 | # # sysctl -w net.ipv4.route.flush=1 |
| 43 | |
| 44 | parameters: |
| 45 | linux: |
| 46 | system: |
| 47 | kernel: |
| 48 | sysctl: |
| 49 | net.ipv4.tcp_syncookies: 1 |