Linux: Turn On TCP SYN Cookie Protection

I am under DoS attack. My cloud based server hosting company asked me to enable TCP SYN cookie protection to save my domain from SYN Attack. How do I turn on TCP Syn cookie protection under Ubuntu or CentOS Linux based server?

The TCP Syn is DoS (Denial of Service) attack. It consumes resources on your Linux server. The attacker begin with the TCP connection handshake sending the SYN packet, and
Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements /etc/sysctl.conf
Est. reading time N/A
then never completing the process to open the connection. This results into massive half-open connections. The Linux kernel can block such attacks easily.

See the current settings

Use sysctl command to configure or see kernel parameters at runtime. To see the current settings for net.ipv4.tcp_syncookies kernel parameter, enter:
# sysctl -n net.ipv4.tcp_syncookies
# cat /proc/sys/net/ipv4/tcp_syncookies
Sample outputs:

Fig.01: View current TCP SYN cookie protection

Fig.01: View current TCP SYN cookie protection

Enable TCP SYN cookie protection

Edit the file /etc/sysctl.conf, run:
# vi /etc/sysctl.conf
Append the following entry:

net.ipv4.tcp_syncookies = 1

Save and close the file. To reload the change, type:
# sysctl -p

Recommended readings

  1. How to set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of your Linux based system.
  2. Twenty Linux server hardening security tips
  3. Linux firewall tutorial and shorewall firewall tutorial for more information.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 5 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
5 comments… add one
  • Patschi Apr 15, 2013 @ 7:33

    What’s the positive and negative aspects of this command? I’m interested what exactly the setting does do :)

  • michel Apr 15, 2013 @ 12:02

    this will create a timeout to drop this open connections. preventing a syn flood attack.


  • Luka Paunović Aug 11, 2013 @ 22:31

    When i run command

    netstat -an | grep :80 | grep -i syn | wc -l

    I see more than 250 connections, that cause Apache timeout error, is this a fix for this?
    I did like shown in this post, but i can not check will it work because attack passed….

  • Tusi Tasnanio Nov 1, 2016 @ 5:38


    What this person described above is NOT CORRECT!

    This person showed both of these commands;

    sysctl -n net.ipv4.tcp_syncookies
    cat /proc/sys/net/ipv4/tcp_syncookies

    If you NOTICED they have 1 showing, that means it’s ENABLED, so you don’t need to do anything, which they did not explain!

    ONLY do; net.ipv4.tcp_syncookies = 1 if you don’t get a 1 in the cmds!

    • Marabiloso Aug 6, 2017 @ 20:45

      I’m not too sure why you’re shouting (see RFC1855 about upper case), there are lots of reasons why sysctl -n (…) may report the services as enabled at runtime, it doesn’t mean it’s enabled or disabled in any file (yet). Adding the line in /etc/sysctl.conf won’t have any impact until you reload with sysctl –system or until you reboot, which doesn’t guarantee /proc/sys/net/ipv4/tcp_syncookies will still be enabled.
      From what I can see in the output, `sysctl –system` only sets the value if it is different from the current value.
      Now, if you really wanna be a purist, you’ll check net.ipv4.tcp_syncookies is not already present in /etc/sysctl.conf (it’s commented out in Ubuntu 16) and uncomment the line instead of appending it.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum