Question

Research whether SYN cookies, or other similar mechanism, are supported on an operating system you have access to (e.g., BSD, Linux, MacOS, Windows). If so, determine whether they are enabled by default and, if not, how to enable them.

Answer 1

Yes, SYN cookies are supported.

A SYN cookie is a specific choice of initial TCP sequence number by TCP software and is used as a defence against SYN Flood attacks.

In normal operation, a Client sends a SYN and the Server responds with a SYN+ACK message, the server will then hold state information in the TCP stack while waiting for Client ACK message. A simple SYN flood (using suitable software) will generate SYN packets which would consume all available TCP memory as the server must maintain state for all half-open connections. And since this state table is finite the server will no longer accept new TCP connections and thus fail or deny service to the user ((or worse, buffer overflows or system memory exhaustion has occurred, not so much a problem today)).

This is highly leveraged attack since a very small amount of bandwidth and CPU can exhaust the resources on a large number of servers.

By specifically calculating the TCP sequence number with a specific, secret math function in the SYN-ACK response, the server does not need to maintain this state table. On receipt of the ACK from the Client, the TCP sequence number is checked against the function to determine if this is a legitimate reply.

If the check is successful, then the server will create the TCP session and the user connection will proceed as normal.
Enabling SYN Cookies:

To enable it, you have to do:

•   [root@deep] /# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Add the above commands to the /etc/rc.d/rc.local script file and you'll not have to type it again the next time you reboot your system.
Edit the /etc/sysctl.conf file and add the following line:

# Enable TCP SYN Cookie Protection

•   net.ipv4.tcp_syncookies = 1

You must restart your network for the change to take effect. The command to restart the network is the following:

•   [root@deep] /# /etc/rc.d/init.d/network restart
Setting network parameters       [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0     [ OK ]
Bringing up interface eth1   [ OK ]

If you receive an error message during execution of the above command, check that you have enabled the TCP syncookies option in your kernel configuration: IP: TCP syncookie support not enabled per default CONFIG_SYN_COOKIES Y/n/?.

•   Y

And you have successfully enabled the SYN cookies.