[SATLUG] Tiger syn-lood fail

r3d91ll r3d91ll at grandecom.net
Mon Nov 22 08:32:10 CST 2010

just ran a tiger security checks on a server that is about to enter
production in the next couple of days and ran accross the following fail

# FAIL [lin013f]The system is not protected against Syn flooding

got the following advice from
"Add the line "net.ipv4.tcp_syncookies = 1" to the
file /etc/sysctl.conf"

when I checked the sysctl.conf file there was the following statement
above the line in question:

# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
# and is not recommended.

I have the following lines in my IPtables script to protect against

$IPTABLES -N syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
$IPTABLES -A INPUT -i $WANFACE -p tcp --syn -j syn-flood
$IPTABLES -A INPUT -i $LANFACE -p tcp --syn -j syn-flood

my question....is my IPtables script enough protection against
syn-floods or should I consider un-commenting the line in sysctl.conf?
If I do this how will this affect the performance of the server.  
FYI: the server in question is a Debian Lenny Lamp.

Thanks in advance for any advice

The information contained within the referenced, linked, or directed
email communication is intended to be a confidential communication
between the original sender and recipient, and is to be treated as
confidential. If you believe you have received this or any other email
in error, please contact r3d91ll at grandecom.net.

More information about the SATLUG mailing list