SYN ACK Retry Linux Kernel Setting

How to display and modify the IP SYN-ACK kernel setting on Linux

SYN/ACK Retries

The number of times a SYN/ACK response to a SYN is retried. Passive, inbound. A lower value means less memory usage and lower impact of SYN flood attacks but on lossy networks a 5+ value is probably worthwhile. Also see the SYN Cookies section.

You can check the current setting like so:

$ sysctl net.ipv4.tcp_synack_retries
net.ipv4.tcp_synack_retries = 5

The interval between each resend is doubled every time, starting from 3s. Thus, a value of 5 will meant a resend at 3s, then 6s later, then 12s later, then 24s later and finally 48s later, taking a total of 93 seconds before it gives up. A value of 3 results in a timeout of 21 seconds. The (ridiculous) maximum value is 255.

Dynamic Configuration

To change the running configuration, use this command with your desired value:

$ sysctl -w net.ipv4.tcp_synack_retries=NN

You can confirm like so:

$ sysctl net.ipv4.tcp_synack_retries

Permanent Configuration

To make this setting persistent across reboots, edit the /etc/sysctl.conf file like so, save and quit:

$ vi /etc/sysctl.conf

net.ipv4.tcp_synack_retries = NN

:wq

You can then reboot to check the setting persists, or alternatively, run this command to load them:

$ sysctl -p /etc/sysctl.conf

Note: The sysctl command will read /etc/sysctl.conf by default so it doesn’t need to be specified but I’ve left it there for the sake of clarity and to ensure it’s clear some other file can be specified.

Confirm with this:

$ sysctl net.ipv4.tcp_synack_retries