ubuntu1604:3:2:8

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
ubuntu1604:3:2:8 [2017/05/02 13:19] Piotr Kłoczewskiubuntu1604:3:2:8 [2017/05/04 03:43] (current) Piotr Kłoczewski
Line 1: Line 1:
 +====== 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) ======
 =====Profile Applicability=====   =====Profile Applicability=====  
 <code> <code>
Line 7: Line 7:
  
 =====Description===== =====Description=====
-When ""tcp_syncookies"" is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.+When ''tcp_syncookies'' is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.
  
 =====Rationale===== =====Rationale=====
Line 20: Line 20:
  
 =====Remediation=====  =====Remediation===== 
-Set the following parameter in the "/etc/sysctl.conffile:+Set the following parameter in the ''/etc/sysctl.conf'' file:
 <Code:bash> <Code:bash>
 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
  • ubuntu1604/3/2/8.1493723946.txt.gz
  • Last modified: 2017/05/02 13:19
  • by Piotr Kłoczewski