RHEL-06-000095 - The system must be configured to use TCP syncookies when experiencing a TCP SYN flood - sysctl

Information

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Solution

To set the runtime status of the 'net.ipv4.tcp_syncookies' kernel parameter, run the following command:

# sysctl -w net.ipv4.tcp_syncookies=1

Set the system to the required kernel parameter by adding the following line to '/etc/sysctl.conf' or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):

net.ipv4.tcp_syncookies = 1

Issue the following command to make the changes take effect:

# sysctl --system

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5(2), CAT|II, CCI|CCI-001095, Rule-ID|SV-217923r603264_rule, STIG-ID|RHEL-06-000095, STIG-Legacy|SV-50340, STIG-Legacy|V-38539, Vuln-ID|V-217923

Plugin: Unix

Control ID: f670517afd72227912255c2e32079a0a3f531afe51fe419b30679971c2ce3617