Detections
Analytics

3.3.1.18 Ensure net.ipv4.tcp_syncookies is configured

Information

When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN/ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.

Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. Setting net.ipv4.tcp_syncookies to 1 enables SYN cookies, allowing the system to keep accepting valid connections, even if under a denial of service attack.

Solution

- Review all files being used by systemd sysctl and comment out or remove all net.ipv4.tcp_syncookies lines that are not net.ipv4.tcp_syncookies=1.

Example script:

#!/usr/bin/env bash

{
 l_option="net.ipv4.tcp_syncookies" l_value="1"
 l_grep="${l_option//./(\\.|\\/)}" a_files=()
 l_systemdsysctl="$(readlink -e /lib/systemd/systemd-sysctl \
 || readlink -e /usr/lib/systemd/systemd-sysctl)"
 l_ufw_file="$([ -f /etc/default/ufw ] && \
 awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
 [ -f "$(readlink -e "$l_ufw_file")" ] && \
 a_files+=("$l_ufw_file"); a_files+=("/etc/sysctl.conf")
 while IFS= read -r l_fname; do
 l_file="$(readlink -e "${l_fname//# /}")"
 [ -n "$l_file" ] && ! grep -Psiq -- '(^|\h+)'"$l_file"'\b' \
 <<< "${a_files[*]}" && a_files+=("$l_file")
 done < <("$l_systemdsysctl" --cat-config | tac | \
 grep -Pio -- '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
 for l_file in "${a_files[@]}"; do
 grep -Poi -- '\h*'"$l_grep"'\h*=\h*\H+\b' "$l_file" \
 | grep -Pivq -- '^\h*'"$l_grep"'\h*=\h*'"$l_value"'\b' && \
 sed -ri '/^\s*'"$l_grep"'\s*=\s*(0|[2-9]|1[0-9]+)/s/^/# /' "$l_file"
 done
}
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv4.tcp_syncookies = 1

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/60-ipv4_sysctl.conf

Note: If the UFW file was the first file listed in the audit, the entry will be commented out as part of the first step, however updating Uncomplicated Firewall (UFW) may update this change. In this case the updated entry will supersede the entry being created as part of this step.

 - Run the following command to load all sysctl configuration filles:

# sysctl --system

See Also

https://workbench.cisecurity.org/benchmarks/24330

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, 800-53|SC-5(2), CCI|CCI-001095, CCI|CCI-002385, CSCv7|9.2, Rule-ID|SV-234829r958528_rule, Rule-ID|SV-257957r1045009_rule, Rule-ID|SV-260522r1069097_rule, Rule-ID|SV-269435r1050318_rule, Rule-ID|SV-270753r1066748_rule, Rule-ID|SV-271884r1092364_rule, STIG-ID|ALMA-09-042480, STIG-ID|RHEL-09-253010, STIG-ID|SLES-15-010310, STIG-ID|UBTU-22-253010, STIG-ID|UBTU-24-600190

Plugin: Unix

Control ID: 391fa154b23773efd7f1cca905f82b8f373df70c5b3ac8d581bb5f94a747b220