1.0 KiB
---id: V-38539 status: implemented tag: misc ---
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
Note that high-traffic environments may require TCP SYN cookies to be disabled. Certain load balancers may forward requests in such a way that web servers may think they're being SYN flooded during peak traffic events. Putting well-configured hardware network devices in front of OpenStack environments is always recommended and this may allow some deployers to turn off SYN cookies within their environment.
Deployers can disable TCP SYN cookies by setting an Ansible variable:
security_sysctl_enable_tcp_syncookies: noMost operating systems, such as Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 have TCP syncookies enabled by default upon installation. For more information on TCP SYN cookies and TCP SYN floods, refer to these links: