2 .\" syncache - TCP SYN caching to handle SYN flood DoS.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
19 .Nm syncache , syncookies
22 MIBs for controlling TCP SYN caching
26 .Nm sysctl Cm net.inet.tcp.syncookies
28 .Nm sysctl Cm net.inet.tcp.syncookies_only
33 .Nm sysctl Cm net.inet.tcp.syncache.hashsize
35 .Nm sysctl Cm net.inet.tcp.syncache.bucketlimit
37 .Nm sysctl Cm net.inet.tcp.syncache.cachelimit
39 .Nm sysctl Cm net.inet.tcp.syncache.rexmtlimit
41 .Nm sysctl Cm net.inet.tcp.syncache.count
43 .Nm sysctl Cm net.inet.tcp.syncache.see_other
49 MIB is used to control the TCP SYN caching in the system, which
50 is intended to handle SYN flood Denial of Service attacks.
52 When a TCP SYN segment is received on a port corresponding to a listen
53 socket, an entry is made in the
55 and a SYN,ACK segment is
59 entry holds the TCP options from the initial SYN,
60 enough state to perform a SYN,ACK retransmission, and takes up less
61 space than a TCP control block endpoint.
62 An incoming segment which contains an ACK for the SYN,ACK
65 entry will cause the system to create a TCP control block
66 with the options stored in the
68 entry, which is then released.
72 protects the system from SYN flood DoS attacks by minimizing
73 the amount of state kept on the server, and by limiting the overall size
78 provides a way to virtually expand the size of the
80 by keeping state regarding the initial SYN in the network.
83 sends a cryptographic value in the SYN,ACK reply to
84 the client machine, which is then returned in the client's ACK.
85 If the corresponding entry is not found in the
88 passes specific security checks, the connection will be accepted.
89 This is only used if the
91 is unable to handle the volume of
92 incoming connections, and a prior entry has been evicted from the cache.
95 have a certain number of disadvantages that a paranoid
96 administrator may wish to take note of.
97 Since the TCP options from the initial SYN are not saved, they are not
98 applied to the connection, precluding use of features like window scale,
99 timestamps, or exact MSS sizing.
100 As the returning ACK establishes the connection, it may be possible for
101 an attacker to ACK flood a machine in an attempt to create a connection.
102 While steps have been taken to mitigate this risk, this may provide a way
103 to bypass firewalls which filter incoming segments with the SYN bit set.
110 .Va net.inet.tcp.syncookies_only
115 implements a number of variables in
117 .Va net.inet.tcp.syncache
121 Several of these may be tuned by setting the corresponding
124 .Bl -tag -width ".Va bucketlimit"
128 hash table, must be a power of 2.
129 Read-only, tunable via
132 Limit on the number of entries permitted in each bucket of the hash table.
133 This should be left at a low value to minimize search time.
134 Read-only, tunable via
137 Limit on the total number of entries in the
140 .Va ( hashsize No \(mu Va bucketlimit ) ,
141 may be set lower to minimize memory
143 Read-only, tunable via
146 Maximum number of times a SYN,ACK is retransmitted before being discarded.
147 The default of 3 retransmits corresponds to a 45 second timeout, this value
148 may be increased depending on the RTT to client machines.
152 Number of entries present in the
156 If set to true value, all
158 entries will be visible via
159 .Va net.inet.tcp.pcblist
169 If turned off, the visibility checks are enforced.
172 referencing is required on every incoming SYN packet processed.
176 Statistics on the performance of the
180 which provides the following counts:
181 .Bl -tag -width ".Li cookies received"
182 .It Li "syncache entries added"
183 Entries successfully inserted in the
186 SYN,ACK retransmissions due to a timeout expiring.
188 Incoming SYN segment matching an existing entry.
190 SYNs dropped because SYN,ACK could not be sent.
192 Successfully completed connections.
193 .It Li "bucket overflow"
194 Entries dropped for exceeding per-bucket size.
195 .It Li "cache overflow"
196 Entries dropped for exceeding overall cache size.
198 RST segment received.
200 Entries dropped due to maximum retransmissions or listen socket disappearance.
202 New socket allocation failures.
204 Entries dropped due to bad ACK reply.
206 Entries dropped due to ICMP unreachable messages.
207 .It Li "zone failures"
208 Failures to allocate new
211 .It Li "cookies received"
212 Connections created from segment containing ACK.
229 The original concept of a
231 originally appeared in
233 and was later modified by
235 then further extended here.
239 code and manual page were written by
240 .An Jonathan Lemon Aq Mt jlemon@FreeBSD.org .