0

I am simulating a SYN flood attack on a Raspberry Pi 1 with KALI Linux (ARM) installed. A similar message as mentioned in this post was printed after performing the attack: How to avoid syn cookies.

kernel: possible SYN flooding on port X. Sending cookies.

The net.ipv4.tcp_syncookies variable was set to 1 automatically.

Now my problem, is, that it is not possible to disable it anymore. I rewrote the value to 0 with sysctl -w net.ipv4.tcp_syncookies=0, but when performing the attack again, the kernel message is not shown. Additionally, after rebooting the system, the variable is set back to 1.

My questions would be:

  • Is the use of sysctl -w directly changing whether SYN - cookies are used for TCP connections (in real time)?
  • Why is the variable reset to 1 upon reboot?
  • Where can I configure/find the SYN - cookie activation automatism?

I tried disabling the NetworkManager service, resulting in the same behavior after reboot.

Gerry
  • 1
  • 1
  • 3
    `sysctl` command doesn't make permanent changes, you'll want to read `man sysctl` and `man sysctl.conf` – Jaromanda X Aug 27 '23 at 23:16
  • By using `sysctl.conf` I could set the variable upon start, thank you. Will the variable force (not) to use syn - cookies, or can the kernel still decide? I am not sure how to check whether the `[SYN,ACK]` packets actually include the cookies (with Wireshark). Are there concrete reference points for this? Also, regarding my 3rd question, is there any way of configuring the kernel without `sysctl` or `sysctl.conf` and where can I find the automatism for activating syn - cookies? – Gerry Aug 28 '23 at 13:40

0 Answers0