1298aa4e5SRuslan Ermilov.\" 2298aa4e5SRuslan Ermilov.\" syncache - TCP SYN caching to handle SYN flood DoS. 3298aa4e5SRuslan Ermilov.\" 4298aa4e5SRuslan Ermilov.\" Redistribution and use in source and binary forms, with or without 5298aa4e5SRuslan Ermilov.\" modification, are permitted provided that the following conditions 6298aa4e5SRuslan Ermilov.\" are met: 7298aa4e5SRuslan Ermilov.\" 1. Redistributions of source code must retain the above copyright 8298aa4e5SRuslan Ermilov.\" notice, this list of conditions and the following disclaimer. 9298aa4e5SRuslan Ermilov.\" 2. Redistributions in binary form must reproduce the above copyright 10298aa4e5SRuslan Ermilov.\" notice, this list of conditions and the following disclaimer in the 11298aa4e5SRuslan Ermilov.\" documentation and/or other materials provided with the distribution. 12298aa4e5SRuslan Ermilov.\" 13cb8d7c44SGleb Smirnoff.Dd April 12, 2021 14298aa4e5SRuslan Ermilov.Dt SYNCACHE 4 15298aa4e5SRuslan Ermilov.Os 16298aa4e5SRuslan Ermilov.Sh NAME 17298aa4e5SRuslan Ermilov.Nm syncache , syncookies 18298aa4e5SRuslan Ermilov.Nd 19298aa4e5SRuslan Ermilov.Xr sysctl 8 20298aa4e5SRuslan ErmilovMIBs for controlling TCP SYN caching 21298aa4e5SRuslan Ermilov.Sh SYNOPSIS 22298aa4e5SRuslan Ermilov.Bl -item -compact 23298aa4e5SRuslan Ermilov.It 24298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncookies 25771553b9STom Rhodes.It 267620300aSTom Rhodes.Nm sysctl Cm net.inet.tcp.syncookies_only 27298aa4e5SRuslan Ermilov.El 28298aa4e5SRuslan Ermilov.Pp 29298aa4e5SRuslan Ermilov.Bl -item -compact 30298aa4e5SRuslan Ermilov.It 31298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.hashsize 32298aa4e5SRuslan Ermilov.It 33298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.bucketlimit 34298aa4e5SRuslan Ermilov.It 35298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.cachelimit 36298aa4e5SRuslan Ermilov.It 37298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.rexmtlimit 38298aa4e5SRuslan Ermilov.It 39298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.count 40cb8d7c44SGleb Smirnoff.It 41cb8d7c44SGleb Smirnoff.Nm sysctl Cm net.inet.tcp.syncache.see_other 42298aa4e5SRuslan Ermilov.El 43298aa4e5SRuslan Ermilov.Sh DESCRIPTION 44298aa4e5SRuslan ErmilovThe 45298aa4e5SRuslan Ermilov.Nm 46298aa4e5SRuslan Ermilov.Xr sysctl 8 47298aa4e5SRuslan ErmilovMIB is used to control the TCP SYN caching in the system, which 48298aa4e5SRuslan Ermilovis intended to handle SYN flood Denial of Service attacks. 49298aa4e5SRuslan Ermilov.Pp 50298aa4e5SRuslan ErmilovWhen a TCP SYN segment is received on a port corresponding to a listen 51298aa4e5SRuslan Ermilovsocket, an entry is made in the 52298aa4e5SRuslan Ermilov.Nm , 53298aa4e5SRuslan Ermilovand a SYN,ACK segment is 54298aa4e5SRuslan Ermilovreturned to the peer. 55298aa4e5SRuslan ErmilovThe 56298aa4e5SRuslan Ermilov.Nm 57298aa4e5SRuslan Ermiloventry holds the TCP options from the initial SYN, 58298aa4e5SRuslan Ermilovenough state to perform a SYN,ACK retransmission, and takes up less 59298aa4e5SRuslan Ermilovspace than a TCP control block endpoint. 60298aa4e5SRuslan ErmilovAn incoming segment which contains an ACK for the SYN,ACK 61298aa4e5SRuslan Ermilovand matches a 62298aa4e5SRuslan Ermilov.Nm 63298aa4e5SRuslan Ermiloventry will cause the system to create a TCP control block 64298aa4e5SRuslan Ermilovwith the options stored in the 65298aa4e5SRuslan Ermilov.Nm 66298aa4e5SRuslan Ermiloventry, which is then released. 67298aa4e5SRuslan Ermilov.Pp 68298aa4e5SRuslan ErmilovThe 69298aa4e5SRuslan Ermilov.Nm 70298aa4e5SRuslan Ermilovprotects the system from SYN flood DoS attacks by minimizing 71298aa4e5SRuslan Ermilovthe amount of state kept on the server, and by limiting the overall size 72298aa4e5SRuslan Ermilovof the 73298aa4e5SRuslan Ermilov.Nm . 74298aa4e5SRuslan Ermilov.Pp 75298aa4e5SRuslan Ermilov.Nm Syncookies 76298aa4e5SRuslan Ermilovprovides a way to virtually expand the size of the 77298aa4e5SRuslan Ermilov.Nm 78298aa4e5SRuslan Ermilovby keeping state regarding the initial SYN in the network. 79298aa4e5SRuslan ErmilovEnabling 80298aa4e5SRuslan Ermilov.Nm syncookies 81298aa4e5SRuslan Ermilovsends a cryptographic value in the SYN,ACK reply to 82298aa4e5SRuslan Ermilovthe client machine, which is then returned in the client's ACK. 83298aa4e5SRuslan ErmilovIf the corresponding entry is not found in the 84298aa4e5SRuslan Ermilov.Nm , 85298aa4e5SRuslan Ermilovbut the value 86298aa4e5SRuslan Ermilovpasses specific security checks, the connection will be accepted. 87298aa4e5SRuslan ErmilovThis is only used if the 88298aa4e5SRuslan Ermilov.Nm 89298aa4e5SRuslan Ermilovis unable to handle the volume of 90298aa4e5SRuslan Ermilovincoming connections, and a prior entry has been evicted from the cache. 91298aa4e5SRuslan Ermilov.Pp 92298aa4e5SRuslan Ermilov.Nm Syncookies 93298aa4e5SRuslan Ermilovhave a certain number of disadvantages that a paranoid 94298aa4e5SRuslan Ermilovadministrator may wish to take note of. 95298aa4e5SRuslan ErmilovSince the TCP options from the initial SYN are not saved, they are not 96298aa4e5SRuslan Ermilovapplied to the connection, precluding use of features like window scale, 97298aa4e5SRuslan Ermilovtimestamps, or exact MSS sizing. 98298aa4e5SRuslan ErmilovAs the returning ACK establishes the connection, it may be possible for 99298aa4e5SRuslan Ermilovan attacker to ACK flood a machine in an attempt to create a connection. 1004548510bSChristian BruefferWhile steps have been taken to mitigate this risk, this may provide a way 101298aa4e5SRuslan Ermilovto bypass firewalls which filter incoming segments with the SYN bit set. 102298aa4e5SRuslan Ermilov.Pp 103771553b9STom RhodesTo disable the 104771553b9STom Rhodes.Nm syncache 105771553b9STom Rhodesand run only with 106771553b9STom Rhodes.Nm syncookies , 107771553b9STom Rhodesset 108771553b9STom Rhodes.Va net.inet.tcp.syncookies_only 109771553b9STom Rhodesto 1. 110771553b9STom Rhodes.Pp 111298aa4e5SRuslan ErmilovThe 112298aa4e5SRuslan Ermilov.Nm 113298aa4e5SRuslan Ermilovimplements a number of variables in 114298aa4e5SRuslan Ermilovthe 115298aa4e5SRuslan Ermilov.Va net.inet.tcp.syncache 116298aa4e5SRuslan Ermilovbranch of the 117298aa4e5SRuslan Ermilov.Xr sysctl 3 118298aa4e5SRuslan ErmilovMIB. 119298aa4e5SRuslan ErmilovSeveral of these may be tuned by setting the corresponding 120298aa4e5SRuslan Ermilovvariable in the 121298aa4e5SRuslan Ermilov.Xr loader 8 . 122298aa4e5SRuslan Ermilov.Bl -tag -width ".Va bucketlimit" 123298aa4e5SRuslan Ermilov.It Va hashsize 124298aa4e5SRuslan ErmilovSize of the 125298aa4e5SRuslan Ermilov.Nm 126298aa4e5SRuslan Ermilovhash table, must be a power of 2. 127298aa4e5SRuslan ErmilovRead-only, tunable via 128298aa4e5SRuslan Ermilov.Xr loader 8 . 129298aa4e5SRuslan Ermilov.It Va bucketlimit 130298aa4e5SRuslan ErmilovLimit on the number of entries permitted in each bucket of the hash table. 131298aa4e5SRuslan ErmilovThis should be left at a low value to minimize search time. 132298aa4e5SRuslan ErmilovRead-only, tunable via 133298aa4e5SRuslan Ermilov.Xr loader 8 . 134298aa4e5SRuslan Ermilov.It Va cachelimit 135298aa4e5SRuslan ErmilovLimit on the total number of entries in the 136298aa4e5SRuslan Ermilov.Nm . 137298aa4e5SRuslan ErmilovDefaults to 138298aa4e5SRuslan Ermilov.Va ( hashsize No \(mu Va bucketlimit ) , 139298aa4e5SRuslan Ermilovmay be set lower to minimize memory 140298aa4e5SRuslan Ermilovconsumption. 141298aa4e5SRuslan ErmilovRead-only, tunable via 142298aa4e5SRuslan Ermilov.Xr loader 8 . 143298aa4e5SRuslan Ermilov.It Va rexmtlimit 144298aa4e5SRuslan ErmilovMaximum number of times a SYN,ACK is retransmitted before being discarded. 145e61e13b2SRuslan ErmilovThe default of 3 retransmits corresponds to a 45 second timeout, this value 146298aa4e5SRuslan Ermilovmay be increased depending on the RTT to client machines. 147298aa4e5SRuslan ErmilovTunable via 148298aa4e5SRuslan Ermilov.Xr sysctl 3 . 149298aa4e5SRuslan Ermilov.It Va count 150298aa4e5SRuslan ErmilovNumber of entries present in the 151298aa4e5SRuslan Ermilov.Nm 152298aa4e5SRuslan Ermilov(read-only). 153cb8d7c44SGleb Smirnoff.It Va see_other 154cb8d7c44SGleb SmirnoffIf set to true value, all 155cb8d7c44SGleb Smirnoff.Nm 156cb8d7c44SGleb Smirnoffentries will be visible via 157cb8d7c44SGleb Smirnoff.Va net.inet.tcp.pcblist 158cb8d7c44SGleb Smirnoffsysctl, or via 159cb8d7c44SGleb Smirnoff.Xr netstat 1 , 160cb8d7c44SGleb Smirnoffignoring all of 161cb8d7c44SGleb Smirnoff.Xr security 7 162cb8d7c44SGleb SmirnoffUID/GID, 163cb8d7c44SGleb Smirnoff.Xr jail 2 164cb8d7c44SGleb Smirnoffand 165cb8d7c44SGleb Smirnoff.Xr mac 4 166cb8d7c44SGleb Smirnoffchecks. 167cb8d7c44SGleb SmirnoffIf turned off, the visibility checks are enforced. 168cb8d7c44SGleb SmirnoffHowever, extra 169cb8d7c44SGleb Smirnoff.Xr ucred 9 170cb8d7c44SGleb Smirnoffreferencing is required on every incoming SYN packet processed. 171cb8d7c44SGleb SmirnoffThe default is off. 172298aa4e5SRuslan Ermilov.El 173298aa4e5SRuslan Ermilov.Pp 174298aa4e5SRuslan ErmilovStatistics on the performance of the 175298aa4e5SRuslan Ermilov.Nm 176298aa4e5SRuslan Ermilovmay be obtained via 177298aa4e5SRuslan Ermilov.Xr netstat 1 , 178298aa4e5SRuslan Ermilovwhich provides the following counts: 179298aa4e5SRuslan Ermilov.Bl -tag -width ".Li cookies received" 180298aa4e5SRuslan Ermilov.It Li "syncache entries added" 181298aa4e5SRuslan ErmilovEntries successfully inserted in the 182298aa4e5SRuslan Ermilov.Nm . 183298aa4e5SRuslan Ermilov.It Li retransmitted 184298aa4e5SRuslan ErmilovSYN,ACK retransmissions due to a timeout expiring. 185298aa4e5SRuslan Ermilov.It Li dupsyn 186298aa4e5SRuslan ErmilovIncoming SYN segment matching an existing entry. 187298aa4e5SRuslan Ermilov.It Li dropped 188298aa4e5SRuslan ErmilovSYNs dropped because SYN,ACK could not be sent. 189298aa4e5SRuslan Ermilov.It Li completed 190298aa4e5SRuslan ErmilovSuccessfully completed connections. 191298aa4e5SRuslan Ermilov.It Li "bucket overflow" 192298aa4e5SRuslan ErmilovEntries dropped for exceeding per-bucket size. 193298aa4e5SRuslan Ermilov.It Li "cache overflow" 194298aa4e5SRuslan ErmilovEntries dropped for exceeding overall cache size. 195298aa4e5SRuslan Ermilov.It Li reset 196298aa4e5SRuslan ErmilovRST segment received. 197298aa4e5SRuslan Ermilov.It Li stale 198298aa4e5SRuslan ErmilovEntries dropped due to maximum retransmissions or listen socket disappearance. 199298aa4e5SRuslan Ermilov.It Li aborted 200298aa4e5SRuslan ErmilovNew socket allocation failures. 201298aa4e5SRuslan Ermilov.It Li badack 202298aa4e5SRuslan ErmilovEntries dropped due to bad ACK reply. 203298aa4e5SRuslan Ermilov.It Li unreach 204298aa4e5SRuslan ErmilovEntries dropped due to ICMP unreachable messages. 205298aa4e5SRuslan Ermilov.It Li "zone failures" 206298aa4e5SRuslan ErmilovFailures to allocate new 207298aa4e5SRuslan Ermilov.Nm 208298aa4e5SRuslan Ermiloventry. 209298aa4e5SRuslan Ermilov.It Li "cookies received" 210298aa4e5SRuslan ErmilovConnections created from segment containing ACK. 211298aa4e5SRuslan Ermilov.El 212298aa4e5SRuslan Ermilov.Sh SEE ALSO 213298aa4e5SRuslan Ermilov.Xr netstat 1 , 214cb8d7c44SGleb Smirnoff.Xr jail 2 , 215*77a84a30SGleb Smirnoff.Xr mac 4 , 216298aa4e5SRuslan Ermilov.Xr tcp 4 , 217cb8d7c44SGleb Smirnoff.Xr security 7 , 218298aa4e5SRuslan Ermilov.Xr loader 8 , 219cb8d7c44SGleb Smirnoff.Xr sysctl 8 , 220cb8d7c44SGleb Smirnoff.Xr ucred 9 221298aa4e5SRuslan Ermilov.Sh HISTORY 222298aa4e5SRuslan ErmilovThe existing 223298aa4e5SRuslan Ermilov.Nm 224298aa4e5SRuslan Ermilovimplementation 225298aa4e5SRuslan Ermilovfirst appeared in 226298aa4e5SRuslan Ermilov.Fx 4.5 . 227298aa4e5SRuslan ErmilovThe original concept of a 228298aa4e5SRuslan Ermilov.Nm 229298aa4e5SRuslan Ermilovoriginally appeared in 230298aa4e5SRuslan Ermilov.Bsx , 231298aa4e5SRuslan Ermilovand was later modified by 232298aa4e5SRuslan Ermilov.Nx , 233298aa4e5SRuslan Ermilovthen further extended here. 234298aa4e5SRuslan Ermilov.Sh AUTHORS 235298aa4e5SRuslan ErmilovThe 236298aa4e5SRuslan Ermilov.Nm 237298aa4e5SRuslan Ermilovcode and manual page were written by 2386c899950SBaptiste Daroussin.An Jonathan Lemon Aq Mt jlemon@FreeBSD.org . 239