How can I Turn On TCP SYN Cookie Protection on Linux?

Are you under DOS attack on your cPanel or Linux server and you need to stop that syn flood to avoid downtime? Many VPS and Dedicated servers suffer syn flood attacks on their systems, it’s something really normal on Linux servers. One type of attack is called SYN Attack.

TCP Syn attacks are what it is called as DOS (aka Denial of Service) attack. DOS attacks consume resources in your dedicated box.

How does this SYN attack work?

Malicious connections begin with TCP connection handshake sending an SYN packet, and then it will never complete the process of opening the connection, the result will be an incomplete (but half-open) connection to your server. Imagine the attacker runs this massively against your server, and your server get’s flooded easily. Fortunately, the Linux kernel can handle this kind of SYN attack easily.

In order to protect against SYN ATTACKS, you will need to activate tcp_syncookies at your kernel configuration.

Is it possible to get protected against TCP Syn Attacks on Linux servers? (Ubuntu, Debian, CentOS, RHEL and many others)

How to Turn On TCP SYNCookie Protection

Check your current settings:

Using sysctl command you will see the kernel configurations at runtime. In order to check if tcp_syncookies (net.ipv4.tcp_syncookies) is activated or not, run this command:

sysctl -n net.ipv4.tcp_syncookies


cat /proc/sys/net/ipv4/tcp_syncookies

The output should be something like:

[[email protected]:~]sysctl -n net.ipv4.tcp_syncookies
[[email protected]:~]cat /proc/sys/net/ipv4/tcp_syncookies

If you see 1, then your tcp_syncookies protection is activated at the kernel level.

If don’t, see the next steps in order to turn on tcp_syncookies on Linux

Enable TCP SYN cookie protection

Edit sysctl.conf file

nano -w /etc/sysctl.conf

Add the following variable at the end of your file:

net.ipv4.tcp_syncookies = 1

Save and close the file.

Reload sysctl.conf configuration by running:

sysctl -p

All done, by this time you should have your TCP Syncookie protection activated to shield your server against TCP Syn attacks. However, if that’s not helping too much, please make sure you read the following post: Hardening Server TCP/IP Stack Against SYN Floods

Suggested reading:

About the Author: Santiago Borges

Experienced Sr. Linux SysAdmin and Web Technologist, passionate about building tools, automating processes, fixing server issues, troubleshooting, securing and optimizing high traffic websites.

1 Comment

  1. Looks like its not necessarily on even if you get 1 as output. You need to uncomment it in the file and then reload.

Leave a Reply

Your email address will not be published. Required fields are marked *