TCP SYN Retries Linux Kernel Setting

How to display and modify the TCP SYN retries kernel setting on Linux

SYN Retries

Number of times a SYN is retried if no response is received. A lower value means less memory usage and reduces the impact of SYN flood attacks but on lossy networks a 5+ value is probably worthwhile. Also see the SYN Cookies section.

You can check the current setting like so:

$ sysctl net.ipv4.tcp_syn_retries
net.ipv4.tcp_syn_retries = 6

The interval between each resend is doubled every time, starting from 3s. Thus, a value of 5 will meant a resend at 3s, then 6s later, then 12s later, then 24s later and finally 48s later, taking a total of 93 seconds before it gives up. A value of 3 results in a timeout of 21 seconds. The (ridiculous) maximum value is 255.

Dynamic Configuration

To change the running configuration, use this command with your desired value:

$ sysctl -w net.ipv4.tcp_syn_retries=NN

You can confirm like so:

$ sysctl net.ipv4.tcp_syn_retries

Permanent Configuration

To make this setting persistent across reboots, edit the /etc/sysctl.conf file like so, save and quit:

$ vi /etc/sysctl.conf

net.ipv4.tcp_syn_retries = NN

:wq

You can then reboot to check the setting persists, or alternatively, run this command to load them:

$ sysctl -p /etc/sysctl.conf

Confirm with this:

$ sysctl net.ipv4.tcp_syn_retries