Yes, it is possible to re-compile the kernel with the protections for the Syn Flood attacks, but I don't see a reason for the same.

You need to re-compile the kernel in systems which don't have the capability to change kernel parameters by commands. But if you still want to do that, then you need to change the C code in the kernel.

For example, in Digital Unix, you change the two parameters in header files and then rebuild the operating system. In /usr/sys/include/sys/socket.h, change the SOMAXCONN definition so the 8 becomes 1024.

In /usr/sys/include/netinet/tcp_timer.h change the TCPTV_KEEP_INIT definition from 75*PR_SLOWHZ to 25*PR_SLOWHZ.

Then rebuild the kernel using Digital Unix procedures, which are unique to this Unix version.

You can also rebuild the kernel changing these same two parameters with Berkeley-derived Unix system.

However, they're found in different locations, namely /usr/src/sys/netinet/tcp_timer.h and /usr/src/sys/sys/socket.h.

After reading this, if you feel that you don't need to re-compile the kernel then use the following options to mitigate the syn flood attacks.

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# echo 3 > /proc/sys/net/ipv4/tcp_synack_retries

To make the changes persistent across reboots, put these entries into /etc/sysctl.conf file

# TCP SYN Flood Protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3

You can read more details about these at these URLs:

• ndchost.com
• opentodo.net

Hope this answers your question. Feel free to comment if you need more clarifications.