How to: Hardening Linux Server TCP/IP Stack Against SYN Floods

Days ago we wrote a post called How can I Turn On TCP SYN Cookie Protection on Linux? and today we will be completing the SYN Flood solutions post series with an article focused on showing how to harden your server against SYN Flood attacks.

What is a SYN Flood Attack?

When an attacker tries to start a SYN Flood against your server, they will start the TCP 3-Way handshake, attackers will try first to spoof their IP address inside the SYN packet sent to the server, this way when your server tries to respond with SYN-ACK packet, it will never reach destiny, leaving the connection unestablished and in the queue until the termination time after they will get discarded.

Nothing happens yet, it’s a normal stuff on the internet and the tcp/ip protocol, however, if you see lot of this unestabilished connections are queued in the backlog (3 minutes by default), it will prevent legitimate connections from being processed, and this will cause your HTTP traffic to get stalled avoiding new requests.

How can I protect against SYN Floods?

DOS attacks using the SYN flood technique can be really tricky and still take many servers down if the Linux system is not hardened to fight against them. While some firewall rules can help to mitigate this attacks, the best you can do is to harden your kernel against this type of attacks.

The next kernel hardening is useful against HTTP floods, as the attack will try to overload the service to take down all your websites. Let’s start.

Edit your sysctl.conf file

It is usually located at /etc/sysctl.conf

nano -w /etc/sysctl.conf

Activate Syn Cookies

Find or search for the “net.ipv4.tcp_syncookies” and set it to “1”

sysctl -w net.ipv4.tcp_syncookies="1"

Set higher limit for backlog queue variable

sysctl -w net.ipv4.tcp_max_syn_backlog="2048"

Minimize the time wait for SYN-ACK response

sysctl -w net.ipv4.tcp_synack_retries=2

Once you are done editing your sysctl.conf file, run this command to apply changes:

sysctl -p


After tweaking your sysctl.conf file, your linux server should be way more secure than running the default sysctl.conf configuration that comes on most Linux distributions. If after this tweak you still can not fight against this kind of floods, Cloudflare is always a good solution to stop massive attacks.

About the Author: Martin Keler

Leave a Reply

Your email address will not be published. Required fields are marked *