Provided by: freebsd-manpages_12.2-1_all bug

NAME
       syncache, syncookies — sysctl(8) MIBs for controlling TCP SYN caching


SYNOPSIS
       sysctl net.inet.tcp.syncookies
       sysctl net.inet.tcp.syncookies_only

       sysctl net.inet.tcp.syncache.hashsize
       sysctl net.inet.tcp.syncache.bucketlimit
       sysctl net.inet.tcp.syncache.cachelimit
       sysctl net.inet.tcp.syncache.rexmtlimit
       sysctl net.inet.tcp.syncache.count


DESCRIPTION
       The  syncache  sysctl(8)  MIB  is used to control the TCP SYN caching in the system, which is intended to
       handle SYN flood Denial of Service attacks.

       When a TCP SYN segment is received on a port corresponding to a listen socket, an entry is  made  in  the
       syncache,  and  a SYN,ACK segment is returned to the peer.  The syncache entry holds the TCP options from
       the initial SYN, enough state to perform a SYN,ACK retransmission, and takes up less  space  than  a  TCP
       control block endpoint.  An incoming segment which contains an ACK for the SYN,ACK and matches a syncache
       entry  will cause the system to create a TCP control block with the options stored in the syncache entry,
       which is then released.

       The syncache protects the system from SYN flood DoS attacks by minimizing the amount of state kept on the
       server, and by limiting the overall size of the syncache.

       Syncookies provides a way to virtually expand the size of the syncache by  keeping  state  regarding  the
       initial  SYN in the network.  Enabling syncookies sends a cryptographic value in the SYN,ACK reply to the
       client machine, which is then returned in the client's ACK.  If the corresponding entry is not  found  in
       the  syncache,  but  the value passes specific security checks, the connection will be accepted.  This is
       only used if the syncache is unable to handle the volume of incoming connections, and a prior  entry  has
       been evicted from the cache.

       Syncookies have a certain number of disadvantages that a paranoid administrator may wish to take note of.
       Since  the  TCP  options  from  the  initial  SYN  are not saved, they are not applied to the connection,
       precluding use of features like window scale, timestamps, or exact MSS  sizing.   As  the  returning  ACK
       establishes  the  connection,  it may be possible for an attacker to ACK flood a machine in an attempt to
       create a connection.  While steps have been taken to mitigate this risk, this may provide a way to bypass
       firewalls which filter incoming segments with the SYN bit set.

       To disable the syncache and run only with syncookies, set net.inet.tcp.syncookies_only to 1.

       The syncache implements a number of variables in the net.inet.tcp.syncache branch of the  sysctl(3)  MIB.
       Several of these may be tuned by setting the corresponding variable in the loader(8).

       hashsize     Size of the syncache hash table, must be a power of 2.  Read-only, tunable via loader(8).

       bucketlimit  Limit  on  the number of entries permitted in each bucket of the hash table.  This should be
                    left at a low value to minimize search time.  Read-only, tunable via loader(8).

       cachelimit   Limit on the total number of entries in the syncache.  Defaults to (hashsize × bucketlimit),
                    may be set lower to minimize memory consumption.  Read-only, tunable via loader(8).

       rexmtlimit   Maximum number of times a SYN,ACK is retransmitted before being discarded.  The default of 3
                    retransmits corresponds to a 45 second timeout, this value may be increased depending on the
                    RTT to client machines.  Tunable via sysctl(3).

       count        Number of entries present in the syncache (read-only).

       Statistics on the performance of the  syncache  may  be  obtained  via  netstat(1),  which  provides  the
       following counts:

       syncache entries added
                         Entries successfully inserted in the syncache.

       retransmitted     SYN,ACK retransmissions due to a timeout expiring.

       dupsyn            Incoming SYN segment matching an existing entry.

       dropped           SYNs dropped because SYN,ACK could not be sent.

       completed         Successfully completed connections.

       bucket overflow   Entries dropped for exceeding per-bucket size.

       cache overflow    Entries dropped for exceeding overall cache size.

       reset             RST segment received.

       stale             Entries dropped due to maximum retransmissions or listen socket disappearance.

       aborted           New socket allocation failures.

       badack            Entries dropped due to bad ACK reply.

       unreach           Entries dropped due to ICMP unreachable messages.

       zone failures     Failures to allocate new syncache entry.

       cookies received  Connections created from segment containing ACK.


SEE ALSO
       netstat(1), tcp(4), loader(8), sysctl(8)


HISTORY
       The  existing  syncache implementation first appeared in FreeBSD 4.5.  The original concept of a syncache
       originally appeared in BSD/OS, and was later modified by NetBSD, then further extended here.


AUTHORS
       The syncache code and manual page were written by Jonathan Lemon <jlemon@FreeBSD.org>.

Debian                                          January 22, 2008                                     SYNCACHE(4)