syncache,
syncookies
—
sysctl(8)
MIBs for controlling TCP SYN caching
-
| sysctl
net.inet.tcp.syncookies |
|
-
| sysctl
net.inet.tcp.syncookies_only |
|
-
| sysctl
net.inet.tcp.syncache.hashsize |
|
-
| sysctl
net.inet.tcp.syncache.bucketlimit |
|
-
| sysctl
net.inet.tcp.syncache.cachelimit |
|
-
| sysctl
net.inet.tcp.syncache.rexmtlimit |
|
-
| sysctl
net.inet.tcp.syncache.count |
|
The
syncache sysctl(8)
MIB is used to control the TCP SYN caching in the system, which is intended to
handle SYN flood Denial of Service attacks.
When a TCP SYN segment is received on a port corresponding to a listen socket,
an entry is made in the
syncache, and a SYN,ACK
segment is returned to the peer. The
syncache
entry holds the TCP options from the initial SYN, enough state to perform a
SYN,ACK retransmission, and takes up less space than a TCP control block
endpoint. An incoming segment which contains an ACK for the SYN,ACK and
matches a
syncache entry will cause the system to
create a TCP control block with the options stored in the
syncache entry, which is then released.
The
syncache protects the system from SYN flood DoS
attacks by minimizing the amount of state kept on the server, and by limiting
the overall size of the
syncache.
Syncookies provides a way to virtually expand the
size of the
syncache by keeping state regarding
the initial SYN in the network. Enabling
syncookies sends a cryptographic value in the
SYN,ACK reply to the client machine, which is then returned in the client's
ACK. If the corresponding entry is not found in the
syncache, but the value passes specific security
checks, the connection will be accepted. This is only used if the
syncache is unable to handle the volume of
incoming connections, and a prior entry has been evicted from the cache.
Syncookies have a certain number of disadvantages
that a paranoid administrator may wish to take note of. Since the TCP options
from the initial SYN are not saved, they are not applied to the connection,
precluding use of features like window scale, timestamps, or exact MSS sizing.
As the returning ACK establishes the connection, it may be possible for an
attacker to ACK flood a machine in an attempt to create a connection. While
steps have been taken to mitigate this risk, this may provide a way to bypass
firewalls which filter incoming segments with the SYN bit set.
To disable the
syncache and run only with
syncookies, set
net.inet.tcp.syncookies_only to 1.
The
syncache implements a number of variables in
the
net.inet.tcp.syncache branch of the
sysctl(3) MIB. Several of these may be tuned by
setting the corresponding variable in the
loader(8).
- hashsize
- Size of the syncache hash
table, must be a power of 2. Read-only, tunable via
loader(8).
- bucketlimit
- Limit on the number of entries permitted in each bucket of
the hash table. This should be left at a low value to minimize search
time. Read-only, tunable via loader(8).
- cachelimit
- Limit on the total number of entries in the
syncache. Defaults to
(hashsize
×
bucketlimit), may be set lower to
minimize memory consumption. Read-only, tunable via
loader(8).
- rexmtlimit
- Maximum number of times a SYN,ACK is retransmitted before
being discarded. The default of 3 retransmits corresponds to a 45 second
timeout, this value may be increased depending on the RTT to client
machines. Tunable via sysctl(3).
- count
- Number of entries present in the
syncache (read-only).
Statistics on the performance of the
syncache may
be obtained via
netstat(1), which provides the
following counts:
syncache
entries added- Entries successfully inserted in the
syncache.
retransmitted- SYN,ACK retransmissions due to a timeout expiring.
dupsyn- Incoming SYN segment matching an existing entry.
dropped- SYNs dropped because SYN,ACK could not be sent.
completed- Successfully completed connections.
bucket
overflow- Entries dropped for exceeding per-bucket size.
cache
overflow- Entries dropped for exceeding overall cache size.
reset- RST segment received.
stale- Entries dropped due to maximum retransmissions or listen
socket disappearance.
aborted- New socket allocation failures.
badack- Entries dropped due to bad ACK reply.
unreach- Entries dropped due to ICMP unreachable messages.
zone
failures- Failures to allocate new
syncache entry.
cookies
received- Connections created from segment containing ACK.
netstat(1),
tcp(4),
loader(8),
sysctl(8)
The existing
syncache implementation first appeared
in
FreeBSD 4.5. The original concept of a
syncache originally appeared in
BSD/OS, and was later modified by
NetBSD, then further extended here.
The
syncache code and manual page were written by
Jonathan Lemon
<
[email protected]>.