Detections
Analytics
RHEL-06-000095 - The system must be configured to use TCP syncookies when experiencing a TCP SYN flood - config
Information
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.Solution
To set the runtime status of the 'net.ipv4.tcp_syncookies' kernel parameter, run the following command:# sysctl -w net.ipv4.tcp_syncookies=1
Set the system to the required kernel parameter by adding the following line to '/etc/sysctl.conf' or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
net.ipv4.tcp_syncookies = 1
Issue the following command to make the changes take effect:
# sysctl --system
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 6 STIG v2r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5(2), CAT|II, CCI|CCI-001095, Rule-ID|SV-217923r603264_rule, STIG-ID|RHEL-06-000095, STIG-Legacy|SV-50340, STIG-Legacy|V-38539, Vuln-ID|V-217923
Plugin: Unix
Control ID: f670517afd72227912255c2e32079a0a3f531afe51fe419b30679971c2ce3617