Интерактивная система просмотра системных руководств (man-ов)
syncookies (4)
>> syncookies (4) ( FreeBSD man: Специальные файлы /dev/* )
BSD mandoc
NAME
syncache , syncookies
- sysctl(8)
MIBs for controlling TCP SYN caching
SYNOPSIS
sysctl net.inet.tcp.syncookies
sysctl net.inet.tcp.syncache.hashsize
sysctl net.inet.tcp.syncache.bucketlimit
sysctl net.inet.tcp.syncache.cachelimit
sysctl net.inet.tcp.syncache.rexmtlimit
sysctl net.inet.tcp.syncache.count
DESCRIPTION
The
sysctl Cm net.inet.tcp.syncookiessysctl(8)
MIB is used to control the TCP SYN caching in the system, which
is intended to handle SYN flood Denial of Service attacks.
When a TCP SYN segment is received on a port corresponding to a listen
socket, an entry is made in the
,
and a SYN,ACK segment is
returned to the peer.
The
sysctl Cm net.inet.tcp.syncookies
entry holds the TCP options from the initial SYN,
enough state to perform a SYN,ACK retransmission, and takes up less
space than a TCP control block endpoint.
An incoming segment which contains an ACK for the SYN,ACK
and matches a
sysctl Cm net.inet.tcp.syncookies
entry will cause the system to create a TCP control block
with the options stored in the
sysctl Cm net.inet.tcp.syncookies
entry, which is then released.
The
sysctl Cm net.inet.tcp.syncookies
protects the system from SYN flood DoS attacks by minimizing
the amount of state kept on the server, and by limiting the overall size
of the
.
Syncookies
provides a way to virtually expand the size of the
sysctl Cm net.inet.tcp.syncookies
by keeping state regarding the initial SYN in the network.
Enabling
syncookies
sends a cryptographic value in the SYN,ACK reply to
the client machine, which is then returned in the client's ACK.
If the corresponding entry is not found in the
,
but the value
passes specific security checks, the connection will be accepted.
This is only used if the
sysctl Cm net.inet.tcp.syncookies
is unable to handle the volume of
incoming connections, and a prior entry has been evicted from the cache.
Syncookies
have a certain number of disadvantages that a paranoid
administrator may wish to take note of.
Since the TCP options from the initial SYN are not saved, they are not
applied to the connection, precluding use of features like window scale,
timestamps, or exact MSS sizing.
As the returning ACK establishes the connection, it may be possible for
an attacker to ACK flood a machine in an attempt to create a connection.
While steps have been taken to mitigate this risk, this may provide a way
to bypass firewalls which filter incoming segments with the SYN bit set.
The
sysctl Cm net.inet.tcp.syncookies
implements a number of variables in
the
net.inet.tcp.syncache
branch of the
sysctl(3)
MIB.
Several of these may be tuned by setting the corresponding
variable in the
loader(8).
hashsize
Size of the
sysctl Cm net.inet.tcp.syncookies
hash table, must be a power of 2.
Read-only, tunable via
loader(8).
bucketlimit
Limit on the number of entries permitted in each bucket of the hash table.
This should be left at a low value to minimize search time.
Read-only, tunable via
loader(8).
cachelimit
Limit on the total number of entries in the
.
Defaults to
( hashsize в bucketlimit
may be set lower to minimize memory
consumption.
Read-only, tunable via
loader(8).
rexmtlimit
Maximum number of times a SYN,ACK is retransmitted before being discarded.
The default of 3 retransmits corresponds to a 45 second timeout, this value
may be increased depending on the RTT to client machines.
Tunable via
sysctl(3).
count
Number of entries present in the
sysctl Cm net.inet.tcp.syncookies
(read-only).
Statistics on the performance of the
sysctl Cm net.inet.tcp.syncookies
may be obtained via
netstat(1),
which provides the following counts:
syncache entries added
Entries successfully inserted in the
.
retransmitted
SYN,ACK retransmissions due to a timeout expiring.
dupsyn
Incoming SYN segment matching an existing entry.
dropped
SYNs dropped because SYN,ACK could not be sent.
completed
Successfully completed connections.
bucket overflow
Entries dropped for exceeding per-bucket size.
cache overflow
Entries dropped for exceeding overall cache size.
reset
RST segment received.
stale
Entries dropped due to maximum retransmissions or listen socket disappearance.
aborted
New socket allocation failures.
badack
Entries dropped due to bad ACK reply.
unreach
Entries dropped due to ICMP unreachable messages.
zone failures
Failures to allocate new
sysctl Cm net.inet.tcp.syncookies
entry.
The existing
sysctl Cm net.inet.tcp.syncookies
implementation
first appeared in
Fx 4.5 .
The original concept of a
sysctl Cm net.inet.tcp.syncookies
originally appeared in
Bs x ,
and was later modified by
Nx ,
then further extended here.
AUTHORS
The
sysctl Cm net.inet.tcp.syncookies
code and manual page were written by
An Jonathan Lemon Aq [email protected] .
