syncache, syncookies -- sysctl(8) MIBs for controlling TCP SYN caching
The syncache sysctl(8) MIB is used to control the TCP SYN caching in the
system, which is intended to handle SYN flood Denial of Service attacks.
When a TCP SYN segment is received on a port corresponding to a listen
socket, an entry is made in the syncache, and a SYN,ACK segment is
returned to the peer. The syncache entry holds the TCP options from the
initial SYN, enough state to perform a SYN,ACK retransmission, and takes
up less space than a TCP control block endpoint. An incoming segment
which contains an ACK for the SYN,ACK and matches a syncache entry will
cause the system to create a TCP control block with the options stored in
the syncache entry, which is then released.
The syncache protects the system from SYN flood DoS attacks by minimizing
the amount of state kept on the server, and by limiting the overall size
of the syncache.
Transaction TCP accelerated opens (see ttcp(4)) are also supported, and
bypass the syncache.
Syncookies provides a way to virtually expand the size of the syncache by
keeping state regarding the initial SYN in the network. Enabling
syncookies sends a cryptographic value in the SYN,ACK reply to the client
machine, which is then returned in the client's ACK. If the corresponding
entry is not found in the syncache, but the value passes specific
security checks, the connection will be accepted. This is only used if
the syncache is unable to handle the volume of incoming connections, and
a prior entry has been evicted from the cache.
Syncookies have a certain number of disadvantages that a paranoid administrator
may wish to take note of. Since the TCP options from the initial
SYN are not saved, they are not applied to the connection, precluding
use of features like window scale, timestamps, or exact MSS sizing.
As the returning ACK establishes the connection, it may be possible for
an attacker to ACK flood a machine in an attempt to create a connection.
While steps have been taken to militate this risk, this may provide a way
to bypass firewalls which filter incoming segments with the SYN bit set.
The syncache implements a number of variables in the
net.inet.tcp.syncache branch of the sysctl(3) MIB. Several of these may
be tuned by setting the corresponding variable in the loader(8).
hashsize Size of the syncache hash table, must be a power of 2.
Read-only, tunable via loader(8).
bucketlimit Limit on the number of entries permitted in each bucket of
the hash table. This should be left at a low value to minimize
search time. Read-only, tunable via loader(8).
cachelimit Limit on the total number of entries in the syncache.
Defaults to (hashsize x bucketlimit), may be set lower to
minimize memory consumption. Read-only, tunable via
rexmtlimit Maximum number of times a SYN,ACK is retransmitted before
being discarded. The default of 3 retransmits corresponds
to a 15 second timeout, this value may be increased depending
on the RTT to client machines. Tunable via sysctl(3).
count Number of entries present in the syncache (read-only).
Statistics on the performance of the syncache may be obtained via
netstat(1), which provides the following counts:
syncache entries added
Entries successfully inserted in the syncache.
retransmitted SYN,ACK retransmissions due to a timeout expiring.
dupsyn Incoming SYN segment matching an existing entry.
dropped SYNs dropped because SYN,ACK could not be sent.
completed Successfully completed connections.
bucket overflow Entries dropped for exceeding per-bucket size.
cache overflow Entries dropped for exceeding overall cache size.
reset RST segment received.
stale Entries dropped due to maximum retransmissions or listen
aborted New socket allocation failures.
badack Entries dropped due to bad ACK reply.
unreach Entries dropped due to ICMP unreachable messages.
zone failures Failures to allocate new syncache entry.
cookies received Connections created from segment containing ACK.
netstat(1), tcp(4), ttcp(4), loader(8), sysctl(8)
The existing syncache implementation first appeared in FreeBSD 4.5. The
original concept of a syncache originally appeared in BSD/OS, and was
later modified by NetBSD, then further extended here.
The syncache code and manual page were written by Jonathan Lemon
FreeBSD 5.2.1 August 31, 2001 FreeBSD 5.2.1 [ Back ]