Enable TCP/IP syncookie support

An XCCDF Rule

Description

Normal TCP/IP networking is open to an attack known as SYN flooding. It is denial-of-service attack that prevents legitimate remote users from being able to connect to your computer during an ongoing attack. When enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies to enable legitimate users to continue to connect, even when your machine is under attack. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SYN_COOKIES, run the following command: grep CONFIG_SYN_COOKIES /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

SYN cookies provide protection against SYN flooding attacks.

ID: xccdf_org.ssgproject.content_rule_kernel_config_syn_cookies
Severity: Medium
References: BP28(R22)

CCE-87330-7
Updated: about 1 year ago