# 3.2.8 Ensure TCP SYN Cookies is enabled
#
# Description
# ===========
# When tcp_syncookies is set, the kernel will handle TCP SYN packets normally
# until the half-open connection queue is full, at which time, the SYN cookie
# functionality kicks in. SYN cookies work by not using the SYN queue at all.
# Instead, the kernel simply replies to the SYN with a SYN|ACK, but will
# include a specially crafted TCP sequence number that encodes the source and
# destination IP address and port number and the time the packet was sent.
# A legitimate connection would send the ACK packet of the three way handshake
# with the specially crafted sequence number. This allows the system to verify
# that it has received a valid response to a SYN cookie and allow the
# connection, even though there is no corresponding SYN in the queue.
#
# Rationale
# =========
# Attackers use SYN flood attacks to perform a denial of service attacked on a
# system by sending many SYN packets without completing the three way handshake.
# This will quickly use up slots in the kernel's half-open connection queue and
# prevent legitimate connections from succeeding. SYN cookies allow the system
# to keep accepting valid connections, even if under a denial of service attack.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
#   # sysctl net.ipv4.tcp_syncookies
#   net.ipv4.tcp_syncookies = 1
#
# Remediation
# ===========
#
# Set the following parameter in the /etc/sysctl.conf file:
#
#   net.ipv4.tcp_syncookies = 1
#
# Run the following commands to set the active kernel parameters:
#
#   # sysctl -w net.ipv4.tcp_syncookies=1
#   # sysctl -w net.ipv4.route.flush=1

parameters:
  linux:
    system:
      kernel:
        sysctl:
          net.ipv4.tcp_syncookies: 1