2 .\" syncache - TCP SYN caching to handle SYN flood DoS.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
19 .Nm syncache , syncookies
22 MIBs for controlling TCP SYN caching
26 .Nm sysctl Cm net.inet.tcp.syncookies
31 .Nm sysctl Cm net.inet.tcp.syncache.hashsize
33 .Nm sysctl Cm net.inet.tcp.syncache.bucketlimit
35 .Nm sysctl Cm net.inet.tcp.syncache.cachelimit
37 .Nm sysctl Cm net.inet.tcp.syncache.rexmtlimit
39 .Nm sysctl Cm net.inet.tcp.syncache.count
45 MIB is used to control the TCP SYN caching in the system, which
46 is intended to handle SYN flood Denial of Service attacks.
48 When a TCP SYN segment is received on a port corresponding to a listen
49 socket, an entry is made in the
51 and a SYN,ACK segment is
55 entry holds the TCP options from the initial SYN,
56 enough state to perform a SYN,ACK retransmission, and takes up less
57 space than a TCP control block endpoint.
58 An incoming segment which contains an ACK for the SYN,ACK
61 entry will cause the system to create a TCP control block
62 with the options stored in the
64 entry, which is then released.
68 protects the system from SYN flood DoS attacks by minimizing
69 the amount of state kept on the server, and by limiting the overall size
74 provides a way to virtually expand the size of the
76 by keeping state regarding the initial SYN in the network.
79 sends a cryptographic value in the SYN,ACK reply to
80 the client machine, which is then returned in the client's ACK.
81 If the corresponding entry is not found in the
84 passes specific security checks, the connection will be accepted.
85 This is only used if the
87 is unable to handle the volume of
88 incoming connections, and a prior entry has been evicted from the cache.
91 have a certain number of disadvantages that a paranoid
92 administrator may wish to take note of.
93 Since the TCP options from the initial SYN are not saved, they are not
94 applied to the connection, precluding use of features like window scale,
95 timestamps, or exact MSS sizing.
96 As the returning ACK establishes the connection, it may be possible for
97 an attacker to ACK flood a machine in an attempt to create a connection.
98 While steps have been taken to mitigate this risk, this may provide a way
99 to bypass firewalls which filter incoming segments with the SYN bit set.
103 implements a number of variables in
105 .Va net.inet.tcp.syncache
109 Several of these may be tuned by setting the corresponding
112 .Bl -tag -width ".Va bucketlimit"
116 hash table, must be a power of 2.
117 Read-only, tunable via
120 Limit on the number of entries permitted in each bucket of the hash table.
121 This should be left at a low value to minimize search time.
122 Read-only, tunable via
125 Limit on the total number of entries in the
128 .Va ( hashsize No \(mu Va bucketlimit ) ,
129 may be set lower to minimize memory
131 Read-only, tunable via
134 Maximum number of times a SYN,ACK is retransmitted before being discarded.
135 The default of 3 retransmits corresponds to a 45 second timeout, this value
136 may be increased depending on the RTT to client machines.
140 Number of entries present in the
145 Statistics on the performance of the
149 which provides the following counts:
150 .Bl -tag -width ".Li cookies received"
151 .It Li "syncache entries added"
152 Entries successfully inserted in the
155 SYN,ACK retransmissions due to a timeout expiring.
157 Incoming SYN segment matching an existing entry.
159 SYNs dropped because SYN,ACK could not be sent.
161 Successfully completed connections.
162 .It Li "bucket overflow"
163 Entries dropped for exceeding per-bucket size.
164 .It Li "cache overflow"
165 Entries dropped for exceeding overall cache size.
167 RST segment received.
169 Entries dropped due to maximum retransmissions or listen socket disappearance.
171 New socket allocation failures.
173 Entries dropped due to bad ACK reply.
175 Entries dropped due to ICMP unreachable messages.
176 .It Li "zone failures"
177 Failures to allocate new
180 .It Li "cookies received"
181 Connections created from segment containing ACK.
194 The original concept of a
196 originally appeared in
198 and was later modified by
200 then further extended here.
204 code and manual page were written by
205 .An Jonathan Lemon Aq jlemon@FreeBSD.org .