2 .\" syncache - TCP SYN caching to handle SYN flood DoS.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
19 .Nm syncache , syncookies
22 MIBs for controlling TCP SYN caching
26 .Nm sysctl Cm net.inet.tcp.syncookies
28 .Nm sysctl Cm net.inet.tcp.syncookies_only
33 .Nm sysctl Cm net.inet.tcp.syncache.hashsize
35 .Nm sysctl Cm net.inet.tcp.syncache.bucketlimit
37 .Nm sysctl Cm net.inet.tcp.syncache.cachelimit
39 .Nm sysctl Cm net.inet.tcp.syncache.rexmtlimit
41 .Nm sysctl Cm net.inet.tcp.syncache.count
47 MIB is used to control the TCP SYN caching in the system, which
48 is intended to handle SYN flood Denial of Service attacks.
50 When a TCP SYN segment is received on a port corresponding to a listen
51 socket, an entry is made in the
53 and a SYN,ACK segment is
57 entry holds the TCP options from the initial SYN,
58 enough state to perform a SYN,ACK retransmission, and takes up less
59 space than a TCP control block endpoint.
60 An incoming segment which contains an ACK for the SYN,ACK
63 entry will cause the system to create a TCP control block
64 with the options stored in the
66 entry, which is then released.
70 protects the system from SYN flood DoS attacks by minimizing
71 the amount of state kept on the server, and by limiting the overall size
76 provides a way to virtually expand the size of the
78 by keeping state regarding the initial SYN in the network.
81 sends a cryptographic value in the SYN,ACK reply to
82 the client machine, which is then returned in the client's ACK.
83 If the corresponding entry is not found in the
86 passes specific security checks, the connection will be accepted.
87 This is only used if the
89 is unable to handle the volume of
90 incoming connections, and a prior entry has been evicted from the cache.
93 have a certain number of disadvantages that a paranoid
94 administrator may wish to take note of.
95 Since the TCP options from the initial SYN are not saved, they are not
96 applied to the connection, precluding use of features like window scale,
97 timestamps, or exact MSS sizing.
98 As the returning ACK establishes the connection, it may be possible for
99 an attacker to ACK flood a machine in an attempt to create a connection.
100 While steps have been taken to mitigate this risk, this may provide a way
101 to bypass firewalls which filter incoming segments with the SYN bit set.
108 .Va net.inet.tcp.syncookies_only
113 implements a number of variables in
115 .Va net.inet.tcp.syncache
119 Several of these may be tuned by setting the corresponding
122 .Bl -tag -width ".Va bucketlimit"
126 hash table, must be a power of 2.
127 Read-only, tunable via
130 Limit on the number of entries permitted in each bucket of the hash table.
131 This should be left at a low value to minimize search time.
132 Read-only, tunable via
135 Limit on the total number of entries in the
138 .Va ( hashsize No \(mu Va bucketlimit ) ,
139 may be set lower to minimize memory
141 Read-only, tunable via
144 Maximum number of times a SYN,ACK is retransmitted before being discarded.
145 The default of 3 retransmits corresponds to a 45 second timeout, this value
146 may be increased depending on the RTT to client machines.
150 Number of entries present in the
155 Statistics on the performance of the
159 which provides the following counts:
160 .Bl -tag -width ".Li cookies received"
161 .It Li "syncache entries added"
162 Entries successfully inserted in the
165 SYN,ACK retransmissions due to a timeout expiring.
167 Incoming SYN segment matching an existing entry.
169 SYNs dropped because SYN,ACK could not be sent.
171 Successfully completed connections.
172 .It Li "bucket overflow"
173 Entries dropped for exceeding per-bucket size.
174 .It Li "cache overflow"
175 Entries dropped for exceeding overall cache size.
177 RST segment received.
179 Entries dropped due to maximum retransmissions or listen socket disappearance.
181 New socket allocation failures.
183 Entries dropped due to bad ACK reply.
185 Entries dropped due to ICMP unreachable messages.
186 .It Li "zone failures"
187 Failures to allocate new
190 .It Li "cookies received"
191 Connections created from segment containing ACK.
204 The original concept of a
206 originally appeared in
208 and was later modified by
210 then further extended here.
214 code and manual page were written by
215 .An Jonathan Lemon Aq jlemon@FreeBSD.org .