Wednesday, December 9, 2009

enable tcp_syncookies by default?

SkyHi @ Wednesday, December 09, 2009

Based on information below, can 
be enabled by default? Are there any drawbacks?

A very popular denial of service attack involves a cracker sending many
(possibly forged) SYN packets to your server, but never completing the
TCP three way handshake. This quickly uses up slots in the kernel's half
open queue, preventing legitimate connections from succeeding. Since a
connection does not need to be completed, there need be no resources
used on the attacking machine, so this is easy to perform and maintain.

If the tcp_syncookies variable is set (only available if your kernel was
compiled with CONFIG_SYNCOOKIES) then the kernel handles TCP SYN packets
normally until the queue is full, at which point the SYN cookie
functionality kicks in.

SYN cookies work by not using a SYN queue at all. Instead the kernel
will reply to any SYN packet with a SYN|ACK as normal, but it will
present a specially-crafted TCP sequence number that encodes the source
and destination IP address and port number and the time the packet was
sent. An attacker performing the SYN flood would never have gotten this
packet at all if they're spoofing, so they wouldn't respond. A
legitimate connection attempt would send the third packet of the three
way handshake which includes this sequence number, and the server can
verify that it must be in response to a valid SYN cookie and allows the
connection, even though there is no corresponding entry in the SYN

Enabling SYN cookies is a very simple way to defeat SYN flood attacks
while using only a bit more CPU time for the cookie creation and
verification. Since the alternative is to reject all incoming
connections, enabling SYN cookies is an obvious choice.