|SYNCACHE(4)||Device Drivers Manual||SYNCACHE(4)|
syncachesysctl(8) MIB is used to control the TCP SYN caching in the system, which is intended to handle SYN flood Denial of Service attacks.
When a TCP SYN segment is received on a port corresponding to a
listen socket, an entry is made in the
a SYN,ACK segment is returned to the peer. The
syncache entry holds the TCP options from the
initial SYN, enough state to perform a SYN,ACK retransmission, and takes up
less space than a TCP control block endpoint. An incoming segment which
contains an ACK for the SYN,ACK and matches a
syncache entry will cause the system to create a TCP
control block with the options stored in the
syncache entry, which is then released.
syncache protects the system from SYN
flood DoS attacks by minimizing the amount of state kept on the server, and
by limiting the overall size of the
Syncookies provides a way to virtually
expand the size of the
syncache by keeping state
regarding the initial SYN in the network. Enabling
syncookies sends a cryptographic value in the
SYN,ACK reply to the client machine, which is then returned in the client's
ACK. If the corresponding entry is not found in the
syncache, but the value passes specific security
checks, the connection will be accepted. This is only used if the
syncache is unable to handle the volume of incoming
connections, and a prior entry has been evicted from the cache.
Syncookies have a certain number of
disadvantages that a paranoid administrator may wish to take note of. Since
the TCP options from the initial SYN are not saved, they are not applied to
the connection, precluding use of features like window scale, timestamps, or
exact MSS sizing. As the returning ACK establishes the connection, it may be
possible for an attacker to ACK flood a machine in an attempt to create a
connection. While steps have been taken to mitigate this risk, this may
provide a way to bypass firewalls which filter incoming segments with the
SYN bit set.
To disable the
syncache and run only with
net.inet.tcp.syncookies_only to 1.
- Size of the
syncachehash table, must be a power of 2. Read-only, tunable via loader(8).
- Limit on the number of entries permitted in each bucket of the hash table. This should be left at a low value to minimize search time. Read-only, tunable via loader(8).
- Limit on the total number of entries in the
syncache. Defaults to (hashsize × bucketlimit), may be set lower to minimize memory consumption. Read-only, tunable via loader(8).
- Maximum number of times a SYN,ACK is retransmitted before being discarded. The default of 3 retransmits corresponds to a 45 second timeout, this value may be increased depending on the RTT to client machines. Tunable via sysctl(3).
- Number of entries present in the
Statistics on the performance of the
syncache may be obtained via
netstat(1), which provides the following counts:
syncache entries added
- Entries successfully inserted in the
- SYN,ACK retransmissions due to a timeout expiring.
- Incoming SYN segment matching an existing entry.
- SYNs dropped because SYN,ACK could not be sent.
- Successfully completed connections.
- Entries dropped for exceeding per-bucket size.
- Entries dropped for exceeding overall cache size.
- RST segment received.
- Entries dropped due to maximum retransmissions or listen socket disappearance.
- New socket allocation failures.
- Entries dropped due to bad ACK reply.
- Entries dropped due to ICMP unreachable messages.
- Failures to allocate new
- Connections created from segment containing ACK.
SEE ALSO¶netstat(1), tcp(4), loader(8), sysctl(8)
syncacheimplementation first appeared in FreeBSD 4.5. The original concept of a
syncacheoriginally appeared in BSD/OS, and was later modified by NetBSD, then further extended here.
syncachecode and manual page were written by Jonathan Lemon <jlemon@FreeBSD.org>.
|January 22, 2008||Linux 4.19.0-10-amd64|