Article ID: 1357, created on Oct 6, 2008, last review on Nov 18, 2015

  • Applies to:
  • Plesk for Linux/Unix


A very popular denial of service attack involves a cracker sending many (possibly forged) SYN packets to your server, but never completing the TCP three-way handshake. This quickly uses up slots in the kernel's half-open queue, preventing legitimate connections from succeeding. Since a connection does not need to be completed, no resources need to be used on the attacking machine; therefore, this is easy to perform and maintain.

If the "tcp_syncookies" variable is set (only available if your kernel was compiled with CONFIG_SYNCOOKIES), then the kernel handles TCP SYN packets normally until the queue is full, at which point the SYN cookie functionality kicks in.

SYN cookies do not work by using a SYN queue. Instead, the kernel will reply to any SYN packet with a SYN|ACK normally, but it will present a specially-crafted TCP sequence number that encodes the source and destination IP address, as well as the port number and the time the packet was sent. An attacker performing the SYN flood would never have gotten this packet at all if they're spoofing, so they wouldn't respond. A legitimate connection attempt would send the third packet of the three-way handshake, which includes this sequence number, and the server can verify that it must be in response to a valid SYN cookie and allows the connection, even though there is no corresponding entry in the SYN queue.

Enabling SYN cookies is a very simple way to defeat SYN flood attacks, while using only a bit more CPU time for the cookie creation and verification. Since the alternative is to reject all incoming connections, enabling SYN cookies is the obvious choice.

tcp_syncookies can be enabled with the following:

# /sbin/sysctl  -w net.ipv4.tcp_syncookies=1


#  echo 1 > /proc/sys/net/ipv4/tcp_syncookies

You can find more information about Linux Firewall-related /proc entries here:

Search Words

apache post flood


syn flood

29d1e90fd304f01e6420fbe60f66f838 a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c

Email subscription for changes to this article
Save as PDF