syncache(4)
NAME
- syncache, syncookies - sysctl(8) MIBs for controlling TCP
- SYN caching
SYNOPSIS
sysctl net.inet.tcp.syncookies sysctl net.inet.tcp.syncache.hashsize sysctl net.inet.tcp.syncache.bucketlimit sysctl net.inet.tcp.syncache.cachelimit sysctl net.inet.tcp.syncache.rexmtlimit sysctl net.inet.tcp.syncache.count
DESCRIPTION
- The syncache sysctl(8) MIB is used to control the TCP SYN
- caching in the
system, which is intended to handle SYN flood Denial of Ser - vice attacks.
- When a TCP SYN segment is received on a port corresponding
- to a listen
socket, an entry is made in the syncache, and a SYN,ACK seg - ment is
returned to the peer. The syncache entry holds the TCP op - tions from the
initial SYN, enough state to perform a SYN,ACK retransmis - sion, and takes
up less space than a TCP control block endpoint. An incom - ing segment
which contains an ACK for the SYN,ACK and matches a syncache - entry will
cause the system to create a TCP control block with the op - tions stored in
the syncache entry, which is then released. - The syncache protects the system from SYN flood DoS attacks
- by minimizing
the amount of state kept on the server, and by limiting the - overall size
of the syncache. - Syncookies provides a way to virtually expand the size of
- the syncache by
keeping state regarding the initial SYN in the network. En - abling
syncookies sends a cryptographic value in the SYN,ACK reply - to the client
machine, which is then returned in the client's ACK. If the - corresponding entry is not found in the syncache, but the value passes
- specific
security checks, the connection will be accepted. This is - only used if
the syncache is unable to handle the volume of incoming con - nections, and
a prior entry has been evicted from the cache. - Syncookies have a certain number of disadvantages that a
- paranoid administrator may wish to take note of. Since the TCP options
- from the initial SYN are not saved, they are not applied to the connec
- tion, precluding use of features like window scale, timestamps, or exact
- MSS sizing.
As the returning ACK establishes the connection, it may be - possible for
an attacker to ACK flood a machine in an attempt to create a - connection.
While steps have been taken to mitigate this risk, this may - provide a way
to bypass firewalls which filter incoming segments with the - SYN bit set.
- The syncache implements a number of variables in the
net.inet.tcp.syncache branch of the sysctl(3) MIB. Several - of these may
be tuned by setting the corresponding variable in the load - er(8).
- hashsize Size of the syncache hash table, must be a
- power of 2.
- Read-only, tunable via loader(8).
- bucketlimit Limit on the number of entries permitted in
- each bucket
- of the hash table. This should be left at
- a low value
to minimize search time. Read-only, tun - able via
loader(8). - cachelimit Limit on the total number of entries in the
- syncache.
- Defaults to (hashsize x bucketlimit), may
- be set lower
to minimize memory consumption. Read-only, - tunable via
loader(8). - rexmtlimit Maximum number of times a SYN,ACK is re
- transmitted
- before being discarded. The default of 3
- retransmits
corresponds to a 15 second timeout, this - value may be
increased depending on the RTT to client - machines. Tunable via sysctl(3).
- count Number of entries present in the syncache
- (read-only).
- Statistics on the performance of the syncache may be ob
- tained via
netstat(1), which provides the following counts: - syncache entries added
- Entries successfully inserted in the
- syncache.
- retransmitted SYN,ACK retransmissions due to a time
- out expiring.
- dupsyn Incoming SYN segment matching an ex
- isting entry.
- dropped SYNs dropped because SYN,ACK could not
- be sent.
- completed Successfully completed connections.
- bucket overflow Entries dropped for exceeding per
- bucket size.
- cache overflow Entries dropped for exceeding overall
- cache size.
- reset RST segment received.
- stale Entries dropped due to maximum re
- transmissions or
- listen socket disappearance.
- aborted New socket allocation failures.
- badack Entries dropped due to bad ACK reply.
- unreach Entries dropped due to ICMP unreach
- able messages.
- zone failures Failures to allocate new syncache en
- try.
- cookies received Connections created from segment con
- taining ACK.
SEE ALSO
netstat(1), tcp(4), loader(8), sysctl(8)
HISTORY
- The existing syncache implementation first appeared in
- FreeBSD 4.5. The
original concept of a syncache originally appeared in - BSD/OS, and was
later modified by NetBSD, then further extended here.
AUTHORS
- The syncache code and manual page were written by Jonathan
- Lemon
<jlemon@FreeBSD.org>. - BSD August 31, 2001