2 .\" syncache - TCP SYN caching to handle SYN flood DoS.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
17 .Nm syncache , syncookies
20 MIBs for controlling TCP SYN caching
24 .Nm sysctl Cm net.inet.tcp.syncookies
26 .Nm sysctl Cm net.inet.tcp.syncookies_only
31 .Nm sysctl Cm net.inet.tcp.syncache.hashsize
33 .Nm sysctl Cm net.inet.tcp.syncache.bucketlimit
35 .Nm sysctl Cm net.inet.tcp.syncache.cachelimit
37 .Nm sysctl Cm net.inet.tcp.syncache.rexmtlimit
39 .Nm sysctl Cm net.inet.tcp.syncache.count
41 .Nm sysctl Cm net.inet.tcp.syncache.see_other
47 MIB is used to control the TCP SYN caching in the system, which
48 is intended to handle SYN flood Denial of Service attacks.
50 When a TCP SYN segment is received on a port corresponding to a listen
51 socket, an entry is made in the
53 and a SYN,ACK segment is
57 entry holds the TCP options from the initial SYN,
58 enough state to perform a SYN,ACK retransmission, and takes up less
59 space than a TCP control block endpoint.
60 An incoming segment which contains an ACK for the SYN,ACK
63 entry will cause the system to create a TCP control block
64 with the options stored in the
66 entry, which is then released.
70 protects the system from SYN flood DoS attacks by minimizing
71 the amount of state kept on the server, and by limiting the overall size
76 provides a way to virtually expand the size of the
78 by keeping state regarding the initial SYN in the network.
81 sends a cryptographic value in the SYN,ACK reply to
82 the client machine, which is then returned in the client's ACK.
83 If the corresponding entry is not found in the
86 passes specific security checks, the connection will be accepted.
87 This is only used if the
89 is unable to handle the volume of
90 incoming connections, and a prior entry has been evicted from the cache.
93 have a certain number of disadvantages that a paranoid
94 administrator may wish to take note of.
95 Since the TCP options from the initial SYN are not saved, they are not
96 applied to the connection, precluding use of features like window scale,
97 timestamps, or exact MSS sizing.
98 As the returning ACK establishes the connection, it may be possible for
99 an attacker to ACK flood a machine in an attempt to create a connection.
100 While steps have been taken to mitigate this risk, this may provide a way
101 to bypass firewalls which filter incoming segments with the SYN bit set.
108 .Va net.inet.tcp.syncookies_only
113 implements a number of variables in
115 .Va net.inet.tcp.syncache
119 Several of these may be tuned by setting the corresponding
122 .Bl -tag -width ".Va bucketlimit"
126 hash table, must be a power of 2.
127 Read-only, tunable via
130 Limit on the number of entries permitted in each bucket of the hash table.
131 This should be left at a low value to minimize search time.
132 Read-only, tunable via
135 Limit on the total number of entries in the
138 .Va ( hashsize No \(mu Va bucketlimit ) ,
139 may be set lower to minimize memory
141 Read-only, tunable via
144 Maximum number of times a SYN,ACK is retransmitted before being discarded.
145 The default of 3 retransmits corresponds to a 45 second timeout, this value
146 may be increased depending on the RTT to client machines.
150 Number of entries present in the
154 If set to true value, all
156 entries will be visible via
157 .Va net.inet.tcp.pcblist
167 If turned off, the visibility checks are enforced.
170 referencing is required on every incoming SYN packet processed.
174 Statistics on the performance of the
178 which provides the following counts:
179 .Bl -tag -width ".Li cookies received"
180 .It Li "syncache entries added"
181 Entries successfully inserted in the
184 SYN,ACK retransmissions due to a timeout expiring.
186 Incoming SYN segment matching an existing entry.
188 SYNs dropped because SYN,ACK could not be sent.
190 Successfully completed connections.
191 .It Li "bucket overflow"
192 Entries dropped for exceeding per-bucket size.
193 .It Li "cache overflow"
194 Entries dropped for exceeding overall cache size.
196 RST segment received.
198 Entries dropped due to maximum retransmissions or listen socket disappearance.
200 New socket allocation failures.
202 Entries dropped due to bad ACK reply.
204 Entries dropped due to ICMP unreachable messages.
205 .It Li "zone failures"
206 Failures to allocate new
209 .It Li "cookies received"
210 Connections created from segment containing ACK.
227 The original concept of a
229 originally appeared in
231 and was later modified by
233 then further extended here.
237 code and manual page were written by
238 .An Jonathan Lemon Aq Mt jlemon@FreeBSD.org .