sysctl MIBs for controlling TCP SYN caching.
sysctl net.inet.tcp.syncookies sysctl net.inet.tcp.syncache.hashsize sysctl net.inet.tcp.syncache.bucketlimit sysctl net.inet.tcp.syncache.cachelimit sysctl net.inet.tcp.syncache.rexmtlimit sysctl net.inet.tcp.syncache.count
The syncache sysctl MIB is used to control the TCP SYN caching in the system, which is intended to handle SYN flood Denial of Service attacks.
When a TCP SYN segment is received on a port corresponding to a listen socket, an entry is made in the syncache, and a SYN,ACK segment is returned to the peer. The syncache entry holds the TCP options from the initial SYN, enough state to perform a SYN,ACK retransmission, and takes up less space than a TCP control block endpoint. An incoming segment which contains an ACK for the SYN,ACK and matches a syncache entry will cause the system to create a TCP control block with the options stored in the syncache entry, which is then released.
The syncache protects the system from SYN flood DoS attacks by minimizing the amount of state kept on the server, and by limiting the overall size of the syncache.
Syncookies provides a way to virtually expand the size of the syncache by keeping state regarding the initial SYN in the network. Enabling syncookies sends a cryptographic value in the SYN,ACK reply to the client machine, which is then returned in the client's ACK. If the corresponding entry is not found in the syncache, but the value passes specific security checks, the connection will be accepted. This is only used if the syncache is unable to handle the volume of incoming connections, and a prior entry has been evicted from the cache.
Syncookies have a certain number of disadvantages that a paranoid administrator may wish to take note of. Since the TCP options from the initial SYN are not saved, they are not applied to the connection, precluding use of features like window scale, timestamps, or exact MSS sizing. As the returning ACK establishes the connection, it may be possible for an attacker to ACK flood a machine in an attempt to create a connection. While steps have been taken to mitigate this risk, this may provide a way to bypass firewalls which filter incoming segments with the SYN bit set.
The syncache implements a number of variables in the net.inet.tcp.syncache branch of the sysctl MIB.
hashsize
bucketlimit
cachelimit
rexmtlimit
count
Statistics on the performance of the syncache may be obtained via netstat, which provides the following counts:
syncache entries added
retransmitted
dupsyn
dropped
completed
bucket overflow
cache overflow
reset
stale
aborted
badack
unreach
zone failures
cookies received
Versions | Link to |
---|---|
INtime 4.0 | netlib.lib |