|
- # 3.2.8 Ensure TCP SYN Cookies is enabled
- #
- # Description
- # ===========
- # When tcp_syncookies is set, the kernel will handle TCP SYN packets normally
- # until the half-open connection queue is full, at which time, the SYN cookie
- # functionality kicks in. SYN cookies work by not using the SYN queue at all.
- # Instead, the kernel simply replies to the SYN with a SYN|ACK, but will
- # include a specially crafted TCP sequence number that encodes the source and
- # destination IP address and port number and the time the packet was sent.
- # A legitimate connection would send the ACK packet of the three way handshake
- # with the specially crafted sequence number. This allows the system to verify
- # that it has received a valid response to a SYN cookie and allow the
- # connection, even though there is no corresponding SYN in the queue.
- #
- # Rationale
- # =========
- # Attackers use SYN flood attacks to perform a denial of service attacked on a
- # system by sending many SYN packets without completing the three way handshake.
- # This will quickly use up slots in the kernel's half-open connection queue and
- # prevent legitimate connections from succeeding. SYN cookies allow the system
- # to keep accepting valid connections, even if under a denial of service attack.
- #
- # Audit
- # =====
- #
- # Run the following commands and verify output matches:
- #
- # # sysctl net.ipv4.tcp_syncookies
- # net.ipv4.tcp_syncookies = 1
- #
- # Remediation
- # ===========
- #
- # Set the following parameter in the /etc/sysctl.conf file:
- #
- # net.ipv4.tcp_syncookies = 1
- #
- # Run the following commands to set the active kernel parameters:
- #
- # # sysctl -w net.ipv4.tcp_syncookies=1
- # # sysctl -w net.ipv4.route.flush=1
-
- parameters:
- linux:
- system:
- kernel:
- sysctl:
- net.ipv4.tcp_syncookies: 1
|
