sysctl(8) MIBs for controlling TCP SYN
The syncache sysctl(8)
MIB is used to
control the TCP SYN caching in the system, which is intended to handle SYN
flood Denial of Service attacks.
When a TCP SYN segment is received on a port corresponding to a listen socket,
an entry is made in the syncache
, and a SYN,ACK segment is
returned to the peer. The syncache
entry holds the TCP
options from the initial SYN, enough state to perform a SYN,ACK
retransmission, and takes up less space than a TCP control block endpoint. An
incoming segment which contains an ACK for the SYN,ACK and matches a
entry will cause the system to create a TCP control
block with the options stored in the syncache
is then released.
protects the system from SYN flood DoS attacks by
minimizing the amount of state kept on the server, and by limiting the overall
size of the syncache
provides a way to virtually expand the size of the
by keeping state regarding the initial SYN in the
network. Enabling syncookies
sends a cryptographic value in
the SYN,ACK reply to the client machine, which is then returned in the
client's ACK. If the corresponding entry is not found in the
, but the value passes specific security checks, the
connection will be accepted. This is only used if the
is unable to handle the volume of incoming
connections, and a prior entry has been evicted from the cache.
have a certain number of disadvantages that a
paranoid administrator may wish to take note of. Since the TCP options from
the initial SYN are not saved, they are not applied to the connection,
precluding use of features like window scale, timestamps, or exact MSS sizing.
As the returning ACK establishes the connection, it may be possible for an
attacker to ACK flood a machine in an attempt to create a connection. While
steps have been taken to mitigate this risk, this may provide a way to bypass
firewalls which filter incoming segments with the SYN bit set.
To disable the syncache
and run only with
implements a number of variables in the
branch of the
MIB. Several of these may be tuned by setting the
corresponding variable in the loader(8)
- Size of the syncache hash table, must be
a power of 2. Read-only, tunable via loader(8).
- Limit on the number of entries permitted in each bucket of
the hash table. This should be left at a low value to minimize search
time. Read-only, tunable via loader(8).
- Limit on the total number of entries in the
syncache. Defaults to (hashsize
× bucketlimit), may be
set lower to minimize memory consumption. Read-only, tunable via
- Maximum number of times a SYN,ACK is retransmitted before
being discarded. The default of 3 retransmits corresponds to a 45 second
timeout, this value may be increased depending on the RTT to client
machines. Tunable via sysctl(3).
- Number of entries present in the syncache
Statistics on the performance of the syncache
may be obtained
, which provides the following counts:
- Entries successfully inserted in the
- SYN,ACK retransmissions due to a timeout expiring.
- Incoming SYN segment matching an existing entry.
- SYNs dropped because SYN,ACK could not be sent.
- Successfully completed connections.
- Entries dropped for exceeding per-bucket size.
- Entries dropped for exceeding overall cache size.
- RST segment received.
- Entries dropped due to maximum retransmissions or listen
- New socket allocation failures.
- Entries dropped due to bad ACK reply.
- Entries dropped due to ICMP unreachable messages.
- Failures to allocate new syncache
- Connections created from segment containing ACK.
The existing syncache
implementation first appeared in
. The original concept of a
originally appeared in
, and was later modified by
, then further extended here.
code and manual page were written by