The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22419	GEN003612	SV-64209r1_rule		Medium

Description
A TCP SYN flood attack can cause Denial of Service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are a mechanism used to only track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This technique does not operate in a fully standards-compliant manner, but is only activated when a flood condition is detected, and allows defense of the system while continuing to service valid requests.

Description

A TCP SYN flood attack can cause Denial of Service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies are a mechanism used to only track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This technique does not operate in a fully standards-compliant manner, but is only activated when a flood condition is detected, and allows defense of the system while continuing to service valid requests.

STIG	Date
Oracle Linux 5 Security Technical Implementation Guide	2020-02-25

Details

Check Text ( C-52667r1_chk )
Verify the system configured to use TCP syncookies when experiencing a TCP SYN flood. # cat /proc/sys/net/ipv4/tcp_syncookies If the result is not "1", this is a finding.

Fix Text (F-54821r1_fix)
Configure the system to use TCP syncookies when experiencing a TCP SYN flood. Edit /etc/sysctl.conf and add a setting for "net.ipv4.tcp_syncookies=1". # sysctl -p