Tempesta Technologies
  • Home
  • Tempesta FW
    • Features
      • Web acceleration
      • Load balancing
      • Application performance monitoring
    • Performance
    • How it works
    • Deployment
    • Support
    • Knowledge base
  • Services
    • Software development
      • High performance
      • Networking
      • Databases
      • Linux kernel
      • Machine learning
      • How we work
      • Case studies
    • Performance analysis
    • Network security
      • DDoS protection
      • Application security
      • Cryptography
      • Security assessment
      • How we work
      • Case Studies
  • Solutions
    • DDoS Protection
    • Web Acceleration
  • Blog
  • Company
    • Research
    • Careers
    • Contact
Tempesta Technologies

TCP SYN Cookies

This filter is an alternative to standard SYN cookies. Thanks to its XDP-based implementation, it can mitigate significantly larger SYN flood attacks.

The filter works only in host mode (see Local host protection).

To use this filter, the net.ipv4.tcp_syncookies sysctl must be enabled, and the kernel must be compiled with SYN cookies support (CONFIG_SYN_COOKIES=y, which is the default in Ubuntu 24 LTS).

SYN cookies operate in a bimodal manner – passive and flood – to avoid the overhead of generating a cookie for every TCP handshake.

The algorithm starts in passive mode, in which Tempesta xFW sends a SYN cookie at most once per passive_timer. If the Linux kernel determines that a SYN cookie should be generated, the cookie is sent to the client and the algorithm transitions to flood mode.

In flood mode, the kernel is queried once per flood_timer interval to determine whether SYN cookies should continue to be generated. When the kernel decides that the SYN flood has stopped, the algorithm transitions back to passive mode.

The Linux kernel decides whether a SYN cookie should be generated, i.e. whether the system is experiencing a SYN flood, based on whether the SYN queue of a listening socket overflows (exceeds the net.ipv4.tcp_max_syn_backlog value). If net.ipv4.tcp_syncookies is set to 0, the kernel never enters SYN flood protection mode.

Looking up a listening socket for each received packet is a relatively expensive operation. Increasing the value of passive_timer reduces the overhead of the SYN cookies mechanism, but also increases the response time to a SYN flood. Similarly, larger values of flood_timer reduce system overhead during an attack, but prolong the overall SYN cookies overhead after the attack has ended.

Example rule for the filter with recommended values (time is specified in seconds):

tcp_syncookies passive_timer=1 flood_timer=1;

By default, both passive_timer and flood_timer are set to 0, meaning SYN cookies are permanently enabled and validated for every TCP handshake. This behavior is equivalent to setting net.ipv4.tcp_syncookies=2 for the Linux kernel SYN cookies implementation.

The functionality can be disabled with the following command:

tcp_syncookies/del;
  • Home
  • XFW
    • Basic Administration
    • Quick start
    • DNS DDoS protection
    • Observability
    • Performance
  • XFW Filtration Rules
    • Chaining
    • Evaluation Mode
    • IP Filter
    • ICMP Filter
    • DNS Filter
    • UDP Anomaly Filter
    • TCP Anomaly Filter
    • TCP Authentication Filter
    • TCP SYN Cookies
    • TCP Flags Filter
    • Destination Filter
    • Source Filter
    • Protected Network Definition
    • Rate Limits
    • Default Rules
  • Manager
    • Management daemon
    • Client library
    • Command line interface
  • DDoS Protection Use Cases
    • DNS server
    • Web server
    • Advanced Protection
  • Troubleshooting
    • Troubleshooting System Description
    • Troubleshooting System Verification Script
    • Troubleshooting Netconsole Configuration
    • Troubleshooting Server
    • Troubleshooting Support Server

Powered by Tempesta FW

Stay up to date with our latest developments

Useful Links

Home
Blog

Tempesta® FW

Features
Performance
Deployment
Support
Knowledge Base

Services

Software Development
Performance analysis
Network Security

Solutions

DDoS Protection

Web Acceleration

Company

Research
Careers
Contact