SYNCACHE(4) | Device Drivers Manual | SYNCACHE(4) |
syncache
,
syncookies
—
sysctl(8) MIBs for controlling TCP SYN
caching
sysctl
|
sysctl
|
sysctl
|
sysctl
|
sysctl
|
sysctl
|
sysctl
|
The syncache
sysctl(8)
MIB is used to control the TCP SYN caching in the system, which is intended
to handle SYN flood Denial of Service attacks.
When a TCP SYN segment is received on a port corresponding to a
listen socket, an entry is made in the syncache
, and
a SYN,ACK segment is returned to the peer. The
syncache
entry holds the TCP options from the
initial SYN, enough state to perform a SYN,ACK retransmission, and takes up
less space than a TCP control block endpoint. An incoming segment which
contains an ACK for the SYN,ACK and matches a
syncache
entry will cause the system to create a TCP
control block with the options stored in the
syncache
entry, which is then released.
The syncache
protects the system from SYN
flood DoS attacks by minimizing the amount of state kept on the server, and
by limiting the overall size of the syncache
.
Syncookies
provides a way to virtually
expand the size of the syncache
by keeping state
regarding the initial SYN in the network. Enabling
syncookies
sends a cryptographic value in the
SYN,ACK reply to the client machine, which is then returned in the client's
ACK. If the corresponding entry is not found in the
syncache
, but the value passes specific security
checks, the connection will be accepted. This is only used if the
syncache
is unable to handle the volume of incoming
connections, and a prior entry has been evicted from the cache.
Syncookies
have a certain number of
disadvantages that a paranoid administrator may wish to take note of. Since
the TCP options from the initial SYN are not saved, they are not applied to
the connection, precluding use of features like window scale, timestamps, or
exact MSS sizing. As the returning ACK establishes the connection, it may be
possible for an attacker to ACK flood a machine in an attempt to create a
connection. While steps have been taken to mitigate this risk, this may
provide a way to bypass firewalls which filter incoming segments with the
SYN bit set.
To disable the syncache
and run only with
syncookies
, set
net.inet.tcp.syncookies_only to 1.
The syncache
implements a number of
variables in the net.inet.tcp.syncache branch of the
sysctl(3) MIB. Several of these may be tuned by setting
the corresponding variable in the loader(8).
syncache
hash table, must be a power
of 2. Read-only, tunable via loader(8).syncache
. Defaults to
(hashsize ×
bucketlimit), may be set lower to minimize memory
consumption. Read-only, tunable via loader(8).syncache
(read-only).Statistics on the performance of the
syncache
may be obtained via
netstat(1), which provides the following counts:
syncache
entries added
syncache
.retransmitted
dupsyn
dropped
completed
bucket
overflow
cache
overflow
reset
stale
aborted
badack
unreach
zone
failures
syncache
entry.The existing syncache
implementation first
appeared in FreeBSD 4.5. The original concept of a
syncache
originally appeared in
BSD/OS, and was later modified by
NetBSD, then further extended here.
The syncache
code and manual page were
written by Jonathan Lemon
<jlemon@FreeBSD.org>.
January 22, 2008 | Debian |