blob: e5ee5d10942d463af6c1da82e2a27523b9189b62 [file] [log] [blame]
Dmitry Teselkinaf730f92018-08-16 11:29:55 +03001# 3.2.8 Ensure TCP SYN Cookies is enabled
2#
3# Description
4# ===========
5# When tcp_syncookies is set, the kernel will handle TCP SYN packets normally
6# until the half-open connection queue is full, at which time, the SYN cookie
7# functionality kicks in. SYN cookies work by not using the SYN queue at all.
8# Instead, the kernel simply replies to the SYN with a SYN|ACK, but will
9# include a specially crafted TCP sequence number that encodes the source and
10# destination IP address and port number and the time the packet was sent.
11# A legitimate connection would send the ACK packet of the three way handshake
12# with the specially crafted sequence number. This allows the system to verify
13# that it has received a valid response to a SYN cookie and allow the
14# connection, even though there is no corresponding SYN in the queue.
15#
16# Rationale
17# =========
18# Attackers use SYN flood attacks to perform a denial of service attacked on a
19# system by sending many SYN packets without completing the three way handshake.
20# This will quickly use up slots in the kernel's half-open connection queue and
21# prevent legitimate connections from succeeding. SYN cookies allow the system
22# to keep accepting valid connections, even if under a denial of service attack.
23#
24# Audit
25# =====
26#
27# Run the following commands and verify output matches:
28#
29# # sysctl net.ipv4.tcp_syncookies
30# net.ipv4.tcp_syncookies = 1
31#
32# Remediation
33# ===========
34#
35# Set the following parameter in the /etc/sysctl.conf file:
36#
37# net.ipv4.tcp_syncookies = 1
38#
39# Run the following commands to set the active kernel parameters:
40#
41# # sysctl -w net.ipv4.tcp_syncookies=1
42# # sysctl -w net.ipv4.route.flush=1
43
44parameters:
45 linux:
46 system:
47 kernel:
48 sysctl:
49 net.ipv4.tcp_syncookies: 1