Adjusting tcp_syncookies To Help Mitigate SYN Flood DOS Attacks

Enabling the tcp_syncookies sysctl/procfs parameter can help protect against DOS attacks. If the number set in tcp_max_syn_backlog is reached, this parameter kicks in so that your server isn't unreachable due to connections waiting for an ACK that will never come. These cookies work by replying to a SYN with a SYN/ACK as usual, but instead of going in the queue (because that number will be maxed), the SYN/ACK will give a TCP sequence number that encodes the IP address SRC and DST address, port, and a timestamp. In this scenario, an attacker would never follow up with an ACK but legitimate traffic would reply and would also include aforementioned syncookie info so that your server knows a legitimate 3-way handshake has taken place.

This functionality is enabled by default, but worth mentioning as SYN flood attacks seem to be fairly common. The only downside of enabling it is a tiny bit more CPU overhead for the creating and procesing of these syncookies, but this really isn't an issue because it's more of a failsafe and only kicks in when the tcp_max_syn_backlog limit is reached.

Check If tcp_syncookies Are Enabled

You can cat the /proc filesystem entry, and also check /etc/sysctl.conf.

cat /proc/sys/net/ipv4/tcp_syncookies
cat /etc/sysctl.conf | grep tcp_syncookies
net.ipv4.tcp_syncookies = 1

I wouldn't recommend disabling it, for any reason, but if you must.

echo "0" > /proc/sys/net/ipv4/tcp_syncookies
vi /etc/sysctl.conf


net.ipv4.tcp_syncookies = 1


net.ipv4.tcp_syncookies = 0