Monday, February 06, 2012

Hardening the TCP/IP stack to SYN attacks in Linux

     Although I am having limited experience in Linux so thought of publishing Solaris Tuning Parameters First. While got lots ofrequest for Linux so compliling the hardning parameters of Linux First. Please feel free to add your comments if some thing I missed in this part.

Linux operating systems, has implemented a SYN cookies mechanism which can be enabled in the following way:
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Note that to make this change permanent we need to create a startup file that sets this variable. We must do the same operation for other UNIX variables described because the values for these variables will return to default upon system reboot.
SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged (a SYN spoofing attack). This mechanism allows construction of a packet with the SYN and ACK flags set and which has a specially crafted initial sequence number (ISN), called a cookie. The value of the cookie is not a pseudo-random number generated by the system but instead is the result of a hash function. This hash result is generated from information like: source IP, source port, destination IP, destination port plus some secret values. During a SYN attack the system generates a response by sending back a packet with a cookie, instead of rejecting the connection when the SYN queue is full. When a server receives a packet with the ACK flag set (the last stage of the three-way handshake process) then it verifies the cookie. When its value is correct, it creates the connection, even though there is no corresponding entry in the SYN queue. Then we know that it is a legitimate connection and that the source IP address was not spoofed. It is important to note that the SYN cookie mechanism works by not using the backlog queue at all, so we don't need to change the backlog queue size. More information about SYN cookies can be found at
Also note that the SYN cookies mechanism works only when the CONFIG_SYNCOOKIES option is set during kernel compilation.

A tcp_max_syn_backlog variable defines how many half-open connections can be kept by the backlog queue. For instance 256 is a total number of half-open connections handled in memory by Linux RedHat 7.3. The TCP/IP stack variables can be configured by sysctl or standard Unix commands. The following example shows how to change the default size of the backlog queue by the sysctl command:

# sysctl -w net.ipv4.tcp_max_syn_backlog="2048"

A tcp_synack_retries variable is responsible for controlling the number of retransmissions in Linux operating system. Its default value is set to 5 for most Linux operating systems, which causes the half-open connection to be removed after 3 minutes. In the below table there are calculations for other values.

# sysctl -w net.ipv4.tcp_synack_retries="2048"


Time of retransmission
Total time to keep half-open connections in the backlog queue


in 3rd second

9 seconds


in 3rd and 9th second

21 seconds


in 3rd , 9th and 21st second

45 seconds

No comments: