1298aa4e5SRuslan Ermilov.\" 2298aa4e5SRuslan Ermilov.\" syncache - TCP SYN caching to handle SYN flood DoS. 3298aa4e5SRuslan Ermilov.\" 4298aa4e5SRuslan Ermilov.\" Redistribution and use in source and binary forms, with or without 5298aa4e5SRuslan Ermilov.\" modification, are permitted provided that the following conditions 6298aa4e5SRuslan Ermilov.\" are met: 7298aa4e5SRuslan Ermilov.\" 1. Redistributions of source code must retain the above copyright 8298aa4e5SRuslan Ermilov.\" notice, this list of conditions and the following disclaimer. 9298aa4e5SRuslan Ermilov.\" 2. Redistributions in binary form must reproduce the above copyright 10298aa4e5SRuslan Ermilov.\" notice, this list of conditions and the following disclaimer in the 11298aa4e5SRuslan Ermilov.\" documentation and/or other materials provided with the distribution. 12298aa4e5SRuslan Ermilov.\" 13298aa4e5SRuslan Ermilov.\" $FreeBSD$ 14298aa4e5SRuslan Ermilov.\" 15cb8d7c44SGleb Smirnoff.Dd April 12, 2021 16298aa4e5SRuslan Ermilov.Dt SYNCACHE 4 17298aa4e5SRuslan Ermilov.Os 18298aa4e5SRuslan Ermilov.Sh NAME 19298aa4e5SRuslan Ermilov.Nm syncache , syncookies 20298aa4e5SRuslan Ermilov.Nd 21298aa4e5SRuslan Ermilov.Xr sysctl 8 22298aa4e5SRuslan ErmilovMIBs for controlling TCP SYN caching 23298aa4e5SRuslan Ermilov.Sh SYNOPSIS 24298aa4e5SRuslan Ermilov.Bl -item -compact 25298aa4e5SRuslan Ermilov.It 26298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncookies 27771553b9STom Rhodes.It 287620300aSTom Rhodes.Nm sysctl Cm net.inet.tcp.syncookies_only 29298aa4e5SRuslan Ermilov.El 30298aa4e5SRuslan Ermilov.Pp 31298aa4e5SRuslan Ermilov.Bl -item -compact 32298aa4e5SRuslan Ermilov.It 33298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.hashsize 34298aa4e5SRuslan Ermilov.It 35298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.bucketlimit 36298aa4e5SRuslan Ermilov.It 37298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.cachelimit 38298aa4e5SRuslan Ermilov.It 39298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.rexmtlimit 40298aa4e5SRuslan Ermilov.It 41298aa4e5SRuslan Ermilov.Nm sysctl Cm net.inet.tcp.syncache.count 42cb8d7c44SGleb Smirnoff.It 43cb8d7c44SGleb Smirnoff.Nm sysctl Cm net.inet.tcp.syncache.see_other 44298aa4e5SRuslan Ermilov.El 45298aa4e5SRuslan Ermilov.Sh DESCRIPTION 46298aa4e5SRuslan ErmilovThe 47298aa4e5SRuslan Ermilov.Nm 48298aa4e5SRuslan Ermilov.Xr sysctl 8 49298aa4e5SRuslan ErmilovMIB is used to control the TCP SYN caching in the system, which 50298aa4e5SRuslan Ermilovis intended to handle SYN flood Denial of Service attacks. 51298aa4e5SRuslan Ermilov.Pp 52298aa4e5SRuslan ErmilovWhen a TCP SYN segment is received on a port corresponding to a listen 53298aa4e5SRuslan Ermilovsocket, an entry is made in the 54298aa4e5SRuslan Ermilov.Nm , 55298aa4e5SRuslan Ermilovand a SYN,ACK segment is 56298aa4e5SRuslan Ermilovreturned to the peer. 57298aa4e5SRuslan ErmilovThe 58298aa4e5SRuslan Ermilov.Nm 59298aa4e5SRuslan Ermiloventry holds the TCP options from the initial SYN, 60298aa4e5SRuslan Ermilovenough state to perform a SYN,ACK retransmission, and takes up less 61298aa4e5SRuslan Ermilovspace than a TCP control block endpoint. 62298aa4e5SRuslan ErmilovAn incoming segment which contains an ACK for the SYN,ACK 63298aa4e5SRuslan Ermilovand matches a 64298aa4e5SRuslan Ermilov.Nm 65298aa4e5SRuslan Ermiloventry will cause the system to create a TCP control block 66298aa4e5SRuslan Ermilovwith the options stored in the 67298aa4e5SRuslan Ermilov.Nm 68298aa4e5SRuslan Ermiloventry, which is then released. 69298aa4e5SRuslan Ermilov.Pp 70298aa4e5SRuslan ErmilovThe 71298aa4e5SRuslan Ermilov.Nm 72298aa4e5SRuslan Ermilovprotects the system from SYN flood DoS attacks by minimizing 73298aa4e5SRuslan Ermilovthe amount of state kept on the server, and by limiting the overall size 74298aa4e5SRuslan Ermilovof the 75298aa4e5SRuslan Ermilov.Nm . 76298aa4e5SRuslan Ermilov.Pp 77298aa4e5SRuslan Ermilov.Nm Syncookies 78298aa4e5SRuslan Ermilovprovides a way to virtually expand the size of the 79298aa4e5SRuslan Ermilov.Nm 80298aa4e5SRuslan Ermilovby keeping state regarding the initial SYN in the network. 81298aa4e5SRuslan ErmilovEnabling 82298aa4e5SRuslan Ermilov.Nm syncookies 83298aa4e5SRuslan Ermilovsends a cryptographic value in the SYN,ACK reply to 84298aa4e5SRuslan Ermilovthe client machine, which is then returned in the client's ACK. 85298aa4e5SRuslan ErmilovIf the corresponding entry is not found in the 86298aa4e5SRuslan Ermilov.Nm , 87298aa4e5SRuslan Ermilovbut the value 88298aa4e5SRuslan Ermilovpasses specific security checks, the connection will be accepted. 89298aa4e5SRuslan ErmilovThis is only used if the 90298aa4e5SRuslan Ermilov.Nm 91298aa4e5SRuslan Ermilovis unable to handle the volume of 92298aa4e5SRuslan Ermilovincoming connections, and a prior entry has been evicted from the cache. 93298aa4e5SRuslan Ermilov.Pp 94298aa4e5SRuslan Ermilov.Nm Syncookies 95298aa4e5SRuslan Ermilovhave a certain number of disadvantages that a paranoid 96298aa4e5SRuslan Ermilovadministrator may wish to take note of. 97298aa4e5SRuslan ErmilovSince the TCP options from the initial SYN are not saved, they are not 98298aa4e5SRuslan Ermilovapplied to the connection, precluding use of features like window scale, 99298aa4e5SRuslan Ermilovtimestamps, or exact MSS sizing. 100298aa4e5SRuslan ErmilovAs the returning ACK establishes the connection, it may be possible for 101298aa4e5SRuslan Ermilovan attacker to ACK flood a machine in an attempt to create a connection. 1024548510bSChristian BruefferWhile steps have been taken to mitigate this risk, this may provide a way 103298aa4e5SRuslan Ermilovto bypass firewalls which filter incoming segments with the SYN bit set. 104298aa4e5SRuslan Ermilov.Pp 105771553b9STom RhodesTo disable the 106771553b9STom Rhodes.Nm syncache 107771553b9STom Rhodesand run only with 108771553b9STom Rhodes.Nm syncookies , 109771553b9STom Rhodesset 110771553b9STom Rhodes.Va net.inet.tcp.syncookies_only 111771553b9STom Rhodesto 1. 112771553b9STom Rhodes.Pp 113298aa4e5SRuslan ErmilovThe 114298aa4e5SRuslan Ermilov.Nm 115298aa4e5SRuslan Ermilovimplements a number of variables in 116298aa4e5SRuslan Ermilovthe 117298aa4e5SRuslan Ermilov.Va net.inet.tcp.syncache 118298aa4e5SRuslan Ermilovbranch of the 119298aa4e5SRuslan Ermilov.Xr sysctl 3 120298aa4e5SRuslan ErmilovMIB. 121298aa4e5SRuslan ErmilovSeveral of these may be tuned by setting the corresponding 122298aa4e5SRuslan Ermilovvariable in the 123298aa4e5SRuslan Ermilov.Xr loader 8 . 124298aa4e5SRuslan Ermilov.Bl -tag -width ".Va bucketlimit" 125298aa4e5SRuslan Ermilov.It Va hashsize 126298aa4e5SRuslan ErmilovSize of the 127298aa4e5SRuslan Ermilov.Nm 128298aa4e5SRuslan Ermilovhash table, must be a power of 2. 129298aa4e5SRuslan ErmilovRead-only, tunable via 130298aa4e5SRuslan Ermilov.Xr loader 8 . 131298aa4e5SRuslan Ermilov.It Va bucketlimit 132298aa4e5SRuslan ErmilovLimit on the number of entries permitted in each bucket of the hash table. 133298aa4e5SRuslan ErmilovThis should be left at a low value to minimize search time. 134298aa4e5SRuslan ErmilovRead-only, tunable via 135298aa4e5SRuslan Ermilov.Xr loader 8 . 136298aa4e5SRuslan Ermilov.It Va cachelimit 137298aa4e5SRuslan ErmilovLimit on the total number of entries in the 138298aa4e5SRuslan Ermilov.Nm . 139298aa4e5SRuslan ErmilovDefaults to 140298aa4e5SRuslan Ermilov.Va ( hashsize No \(mu Va bucketlimit ) , 141298aa4e5SRuslan Ermilovmay be set lower to minimize memory 142298aa4e5SRuslan Ermilovconsumption. 143298aa4e5SRuslan ErmilovRead-only, tunable via 144298aa4e5SRuslan Ermilov.Xr loader 8 . 145298aa4e5SRuslan Ermilov.It Va rexmtlimit 146298aa4e5SRuslan ErmilovMaximum number of times a SYN,ACK is retransmitted before being discarded. 147e61e13b2SRuslan ErmilovThe default of 3 retransmits corresponds to a 45 second timeout, this value 148298aa4e5SRuslan Ermilovmay be increased depending on the RTT to client machines. 149298aa4e5SRuslan ErmilovTunable via 150298aa4e5SRuslan Ermilov.Xr sysctl 3 . 151298aa4e5SRuslan Ermilov.It Va count 152298aa4e5SRuslan ErmilovNumber of entries present in the 153298aa4e5SRuslan Ermilov.Nm 154298aa4e5SRuslan Ermilov(read-only). 155cb8d7c44SGleb Smirnoff.It Va see_other 156cb8d7c44SGleb SmirnoffIf set to true value, all 157cb8d7c44SGleb Smirnoff.Nm 158cb8d7c44SGleb Smirnoffentries will be visible via 159cb8d7c44SGleb Smirnoff.Va net.inet.tcp.pcblist 160cb8d7c44SGleb Smirnoffsysctl, or via 161cb8d7c44SGleb Smirnoff.Xr netstat 1 , 162cb8d7c44SGleb Smirnoffignoring all of 163cb8d7c44SGleb Smirnoff.Xr security 7 164cb8d7c44SGleb SmirnoffUID/GID, 165cb8d7c44SGleb Smirnoff.Xr jail 2 166cb8d7c44SGleb Smirnoffand 167cb8d7c44SGleb Smirnoff.Xr mac 4 168cb8d7c44SGleb Smirnoffchecks. 169cb8d7c44SGleb SmirnoffIf turned off, the visibility checks are enforced. 170cb8d7c44SGleb SmirnoffHowever, extra 171cb8d7c44SGleb Smirnoff.Xr ucred 9 172cb8d7c44SGleb Smirnoffreferencing is required on every incoming SYN packet processed. 173cb8d7c44SGleb SmirnoffThe default is off. 174298aa4e5SRuslan Ermilov.El 175298aa4e5SRuslan Ermilov.Pp 176298aa4e5SRuslan ErmilovStatistics on the performance of the 177298aa4e5SRuslan Ermilov.Nm 178298aa4e5SRuslan Ermilovmay be obtained via 179298aa4e5SRuslan Ermilov.Xr netstat 1 , 180298aa4e5SRuslan Ermilovwhich provides the following counts: 181298aa4e5SRuslan Ermilov.Bl -tag -width ".Li cookies received" 182298aa4e5SRuslan Ermilov.It Li "syncache entries added" 183298aa4e5SRuslan ErmilovEntries successfully inserted in the 184298aa4e5SRuslan Ermilov.Nm . 185298aa4e5SRuslan Ermilov.It Li retransmitted 186298aa4e5SRuslan ErmilovSYN,ACK retransmissions due to a timeout expiring. 187298aa4e5SRuslan Ermilov.It Li dupsyn 188298aa4e5SRuslan ErmilovIncoming SYN segment matching an existing entry. 189298aa4e5SRuslan Ermilov.It Li dropped 190298aa4e5SRuslan ErmilovSYNs dropped because SYN,ACK could not be sent. 191298aa4e5SRuslan Ermilov.It Li completed 192298aa4e5SRuslan ErmilovSuccessfully completed connections. 193298aa4e5SRuslan Ermilov.It Li "bucket overflow" 194298aa4e5SRuslan ErmilovEntries dropped for exceeding per-bucket size. 195298aa4e5SRuslan Ermilov.It Li "cache overflow" 196298aa4e5SRuslan ErmilovEntries dropped for exceeding overall cache size. 197298aa4e5SRuslan Ermilov.It Li reset 198298aa4e5SRuslan ErmilovRST segment received. 199298aa4e5SRuslan Ermilov.It Li stale 200298aa4e5SRuslan ErmilovEntries dropped due to maximum retransmissions or listen socket disappearance. 201298aa4e5SRuslan Ermilov.It Li aborted 202298aa4e5SRuslan ErmilovNew socket allocation failures. 203298aa4e5SRuslan Ermilov.It Li badack 204298aa4e5SRuslan ErmilovEntries dropped due to bad ACK reply. 205298aa4e5SRuslan Ermilov.It Li unreach 206298aa4e5SRuslan ErmilovEntries dropped due to ICMP unreachable messages. 207298aa4e5SRuslan Ermilov.It Li "zone failures" 208298aa4e5SRuslan ErmilovFailures to allocate new 209298aa4e5SRuslan Ermilov.Nm 210298aa4e5SRuslan Ermiloventry. 211298aa4e5SRuslan Ermilov.It Li "cookies received" 212298aa4e5SRuslan ErmilovConnections created from segment containing ACK. 213298aa4e5SRuslan Ermilov.El 214298aa4e5SRuslan Ermilov.Sh SEE ALSO 215298aa4e5SRuslan Ermilov.Xr netstat 1 , 216cb8d7c44SGleb Smirnoff.Xr jail 2 , 217*77a84a30SGleb Smirnoff.Xr mac 4 , 218298aa4e5SRuslan Ermilov.Xr tcp 4 , 219cb8d7c44SGleb Smirnoff.Xr security 7 , 220298aa4e5SRuslan Ermilov.Xr loader 8 , 221cb8d7c44SGleb Smirnoff.Xr sysctl 8 , 222cb8d7c44SGleb Smirnoff.Xr ucred 9 223298aa4e5SRuslan Ermilov.Sh HISTORY 224298aa4e5SRuslan ErmilovThe existing 225298aa4e5SRuslan Ermilov.Nm 226298aa4e5SRuslan Ermilovimplementation 227298aa4e5SRuslan Ermilovfirst appeared in 228298aa4e5SRuslan Ermilov.Fx 4.5 . 229298aa4e5SRuslan ErmilovThe original concept of a 230298aa4e5SRuslan Ermilov.Nm 231298aa4e5SRuslan Ermilovoriginally appeared in 232298aa4e5SRuslan Ermilov.Bsx , 233298aa4e5SRuslan Ermilovand was later modified by 234298aa4e5SRuslan Ermilov.Nx , 235298aa4e5SRuslan Ermilovthen further extended here. 236298aa4e5SRuslan Ermilov.Sh AUTHORS 237298aa4e5SRuslan ErmilovThe 238298aa4e5SRuslan Ermilov.Nm 239298aa4e5SRuslan Ermilovcode and manual page were written by 2406c899950SBaptiste Daroussin.An Jonathan Lemon Aq Mt jlemon@FreeBSD.org . 241