GEN003612 - The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.

Information

A TCP SYN flood attack can cause Denial of Service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are a mechanism used to only track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This technique does not operate in a fully standards-compliant manner, but is only activated when a flood condition is detected, and allows defense of the system while continuing to service valid requests.

Solution

Configure the system to use TCP syncookies when experiencing a TCP SYN flood.
Edit /etc/sysctl.conf and add a setting for 'net.ipv4.tcp_syncookies=1'.
# sysctl -p

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, 800-53|SC-5(2), CAT|II, CCI|CCI-001092, CCI|CCI-001095, Rule-ID|SV-218489r603259_rule, STIG-ID|GEN003612, STIG-Legacy|SV-64209, STIG-Legacy|V-22419, Vuln-ID|V-218489

Plugin: Unix

Control ID: fdf4ac4bebbb8ef68ac0dba041c085e7224a93b431373eef45a3af8d766b1e10