Linux: Turn On TCP SYN Cookie Protection

by on April 14, 2013 · 3 comments· LAST UPDATED April 14, 2013

in , ,

I am under DoS attack. My cloud based server hosting company asked me to enable TCP SYN cookie protection to save my domain from SYN Attack. How do I turn on TCP Syn cookie protection under Ubuntu or CentOS Linux based server?

The TCP Syn is DoS (Denial of Service) attack. It consumes resources on your Linux server. The attacker begin with the TCP connection handshake sending the SYN packet, and
Tutorial details
DifficultyIntermediate (rss)
Root privilegesYes
Estimated completion timeN/A
then never completing the process to open the connection. This results into massive half-open connections. The Linux kernel can block such attacks easily.

See the current settings

Use sysctl command to configure or see kernel parameters at runtime. To see the current settings for net.ipv4.tcp_syncookies kernel parameter, enter:
# sysctl -n net.ipv4.tcp_syncookies
# cat /proc/sys/net/ipv4/tcp_syncookies
Sample outputs:

Fig.01: View current TCP SYN cookie protection

Fig.01: View current TCP SYN cookie protection

Enable TCP SYN cookie protection

Edit the file /etc/sysctl.conf, run:
# vi /etc/sysctl.conf
Append the following entry:

net.ipv4.tcp_syncookies = 1

Save and close the file. To reload the change, type:
# sysctl -p

Recommended readings

  1. How to set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of your Linux based system.
  2. Twenty Linux server hardening security tips
  3. Linux firewall tutorial and shorewall firewall tutorial for more information.
Tweet itFacebook itG+ itDownload PDF versionFound an error/typo on this page?

{ 3 comments… read them below or add one }

1 Patschi April 15, 2013 at 7:33 am

What’s the positive and negative aspects of this command? I’m interested what exactly the setting does do :)


2 michel April 15, 2013 at 12:02 pm

this will create a timeout to drop this open connections. preventing a syn flood attack.



3 Luka Paunović August 11, 2013 at 10:31 pm

When i run command

netstat -an | grep :80 | grep -i syn | wc -l

I see more than 250 connections, that cause Apache timeout error, is this a fix for this?
I did like shown in this post, but i can not check will it work because attack passed….


Leave a Comment

Tagged as: , , , , , , ,

Previous Faq:

Next Faq: