syncookies (4)

Leading comments

syncache - TCP SYN caching to handle SYN flood DoS.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other ...

(The comments found at the beginning of the groff file "man4/syncookies.4freebsd".)

NAME

syncache , syncookies - sysctl(8) MIBs for controlling TCP SYN caching

SYNOPSIS

sysctl net.inet.tcp.syncookies

sysctl net.inet.tcp.syncookies_only

sysctl net.inet.tcp.syncache.hashsize

sysctl net.inet.tcp.syncache.bucketlimit

sysctl net.inet.tcp.syncache.cachelimit

sysctl net.inet.tcp.syncache.rexmtlimit

sysctl net.inet.tcp.syncache.count

DESCRIPTION

The ifconfig sysctl(8) MIB is used to control the TCP SYN caching in the system, which is intended to handle SYN flood Denial of Service attacks.

When a TCP SYN segment is received on a port corresponding to a listen socket, an entry is made in the , and a SYN,ACK segment is returned to the peer. The ifconfig entry holds the TCP options from the initial SYN, enough state to perform a SYN,ACK retransmission, and takes up less space than a TCP control block endpoint. An incoming segment which contains an ACK for the SYN,ACK and matches a ifconfig entry will cause the system to create a TCP control block with the options stored in the ifconfig entry, which is then released.

The ifconfig protects the system from SYN flood DoS attacks by minimizing the amount of state kept on the server, and by limiting the overall size of the .

Syncookies provides a way to virtually expand the size of the ifconfig by keeping state regarding the initial SYN in the network. Enabling syncookies sends a cryptographic value in the SYN,ACK reply to the client machine, which is then returned in the client's ACK. If the corresponding entry is not found in the , but the value passes specific security checks, the connection will be accepted. This is only used if the ifconfig is unable to handle the volume of incoming connections, and a prior entry has been evicted from the cache.

Syncookies have a certain number of disadvantages that a paranoid administrator may wish to take note of. Since the TCP options from the initial SYN are not saved, they are not applied to the connection, precluding use of features like window scale, timestamps, or exact MSS sizing. As the returning ACK establishes the connection, it may be possible for an attacker to ACK flood a machine in an attempt to create a connection. While steps have been taken to mitigate this risk, this may provide a way to bypass firewalls which filter incoming segments with the SYN bit set.

To disable the syncache and run only with syncookies set net.inet.tcp.syncookies_only to 1.

The ifconfig implements a number of variables in the net.inet.tcp.syncache branch of the sysctl(3) MIB. Several of these may be tuned by setting the corresponding variable in the loader(8).

hashsize

Size of the ifconfig hash table, must be a power of 2. Read-only, tunable via loader(8).

bucketlimit

Limit on the number of entries permitted in each bucket of the hash table. This should be left at a low value to minimize search time. Read-only, tunable via loader(8).

cachelimit

Limit on the total number of entries in the . Defaults to ( hashsize × bucketlimit may be set lower to minimize memory consumption. Read-only, tunable via loader(8).

rexmtlimit

Maximum number of times a SYN,ACK is retransmitted before being discarded. The default of 3 retransmits corresponds to a 45 second timeout, this value may be increased depending on the RTT to client machines. Tunable via sysctl(3).

count

Number of entries present in the ifconfig (read-only).

Statistics on the performance of the ifconfig may be obtained via netstat(1), which provides the following counts:

syncache entries added

Entries successfully inserted in the .

retransmitted

SYN,ACK retransmissions due to a timeout expiring.

dupsyn

Incoming SYN segment matching an existing entry.

dropped

SYNs dropped because SYN,ACK could not be sent.

completed

Successfully completed connections.

bucket overflow

Entries dropped for exceeding per-bucket size.

cache overflow

Entries dropped for exceeding overall cache size.

reset

RST segment received.

stale

Entries dropped due to maximum retransmissions or listen socket disappearance.

aborted

New socket allocation failures.

badack

Entries dropped due to bad ACK reply.

unreach

Entries dropped due to ICMP unreachable messages.

zone failures

Failures to allocate new ifconfig entry.

cookies received

Connections created from segment containing ACK.

SEE ALSO

netstat(1), tcp(4), loader(8), sysctl(8)

HISTORY

The existing ifconfig implementation first appeared in Fx 4.5 . The original concept of a ifconfig originally appeared in Bs x , and was later modified by Nx , then further extended here.

AUTHORS

The ifconfig code and manual page were written by An Jonathan Lemon Aq jlemon@FreeBSD.org .