diff options
Diffstat (limited to 'static/freebsd/man4/syncache.4 3.html')
| -rw-r--r-- | static/freebsd/man4/syncache.4 3.html | 268 |
1 files changed, 268 insertions, 0 deletions
diff --git a/static/freebsd/man4/syncache.4 3.html b/static/freebsd/man4/syncache.4 3.html new file mode 100644 index 00000000..04750601 --- /dev/null +++ b/static/freebsd/man4/syncache.4 3.html @@ -0,0 +1,268 @@ +<table class="head"> + <tr> + <td class="head-ltitle">SYNCACHE(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">SYNCACHE(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">syncache</code>, + <code class="Nm">syncookies</code> — + <span class="Nd"><a class="Xr">sysctl(8)</a> MIBs for controlling TCP SYN + caching</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<ul class="Bl-item Bl-compact"> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncookies</code></code></td> + <td></td> + </tr> + </table> + </li> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncookies_only</code></code></td> + <td></td> + </tr> + </table> + </li> +</ul> +<p class="Pp"></p> +<ul class="Bl-item Bl-compact"> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncache.hashsize</code></code></td> + <td></td> + </tr> + </table> + </li> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncache.bucketlimit</code></code></td> + <td></td> + </tr> + </table> + </li> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncache.cachelimit</code></code></td> + <td></td> + </tr> + </table> + </li> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncache.rexmtlimit</code></code></td> + <td></td> + </tr> + </table> + </li> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncache.count</code></code></td> + <td></td> + </tr> + </table> + </li> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncache.see_other</code></code></td> + <td></td> + </tr> + </table> + </li> + <li> + <table class="Nm"> + <tr> + <td><code class="Nm">sysctl + <code class="Cm">net.inet.tcp.syncache.rst_on_sock_fail</code></code></td> + <td></td> + </tr> + </table> + </li> +</ul> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">syncache</code> <a class="Xr">sysctl(8)</a> + MIB is used to control the TCP SYN caching in the system, which is intended + to handle SYN flood Denial of Service attacks.</p> +<p class="Pp">When a TCP SYN segment is received on a port corresponding to a + listen socket, an entry is made in the <code class="Nm">syncache</code>, and + a SYN,ACK segment is returned to the peer. The + <code class="Nm">syncache</code> entry holds the TCP options from the + initial SYN, enough state to perform a SYN,ACK retransmission, and takes up + less space than a TCP control block endpoint. An incoming segment which + contains an ACK for the SYN,ACK and matches a + <code class="Nm">syncache</code> entry will cause the system to create a TCP + control block with the options stored in the + <code class="Nm">syncache</code> entry, which is then released.</p> +<p class="Pp">The <code class="Nm">syncache</code> protects the system from SYN + flood DoS attacks by minimizing the amount of state kept on the server, and + by limiting the overall size of the <code class="Nm">syncache</code>.</p> +<p class="Pp"><code class="Nm">Syncookies</code> provides a way to virtually + expand the size of the <code class="Nm">syncache</code> by keeping state + regarding the initial SYN in the network. Enabling + <code class="Nm">syncookies</code> sends a cryptographic value in the + SYN,ACK reply to the client machine, which is then returned in the client's + ACK. If the corresponding entry is not found in the + <code class="Nm">syncache</code>, but the value passes specific security + checks, the connection will be accepted. This is only used if the + <code class="Nm">syncache</code> is unable to handle the volume of incoming + connections, and a prior entry has been evicted from the cache.</p> +<p class="Pp"><code class="Nm">Syncookies</code> have a certain number of + disadvantages that a paranoid administrator may wish to take note of. Since + the TCP options from the initial SYN are not saved, they are not applied to + the connection, precluding use of features like window scale, timestamps, or + exact MSS sizing. As the returning ACK establishes the connection, it may be + possible for an attacker to ACK flood a machine in an attempt to create a + connection. While steps have been taken to mitigate this risk, this may + provide a way to bypass firewalls which filter incoming segments with the + SYN bit set.</p> +<p class="Pp">To disable the <code class="Nm">syncache</code> and run only with + <code class="Nm">syncookies</code>, set + <var class="Va">net.inet.tcp.syncookies_only</var> to 1. To use + <code class="Nm">syncookies</code> to handle bucket overflows in the + <code class="Nm">syncache</code> set + <var class="Va">net.inet.tcp.syncookies</var> to 1. The default value for + <var class="Va">net.inet.tcp.syncookies_only</var> is 0 and the default + value for <var class="Va">net.inet.tcp.syncookies</var> is 1.</p> +<p class="Pp">The <code class="Nm">syncache</code> implements a number of + variables in the <var class="Va">net.inet.tcp.syncache</var> branch of the + <a class="Xr">sysctl(3)</a> MIB. Several of these may be tuned by setting + the corresponding variable in the <a class="Xr">loader(8)</a>.</p> +<dl class="Bl-tag"> + <dt id="hashsize"><var class="Va">hashsize</var></dt> + <dd>Size of the <code class="Nm">syncache</code> hash table, must be a power + of 2. Read-only, tunable via <a class="Xr">loader(8)</a>.</dd> + <dt id="bucketlimit"><var class="Va">bucketlimit</var></dt> + <dd>Limit on the number of entries permitted in each bucket of the hash table. + This should be left at a low value to minimize search time. Read-only, + tunable via <a class="Xr">loader(8)</a>.</dd> + <dt id="cachelimit"><var class="Va">cachelimit</var></dt> + <dd>Limit on the total number of entries in the + <code class="Nm">syncache</code>. Defaults to + (<var class="Va">hashsize</var> <span class="No">×</span> + <var class="Va">bucketlimit</var>), may be set lower to minimize memory + consumption. Read-only, tunable via <a class="Xr">loader(8)</a>.</dd> + <dt id="rexmtlimit"><var class="Va">rexmtlimit</var></dt> + <dd>Maximum number of times a SYN,ACK is retransmitted before being discarded. + The default of 3 retransmits corresponds to a 45 second timeout, this + value may be increased depending on the RTT to client machines. Tunable + via <a class="Xr">sysctl(3)</a>.</dd> + <dt id="count"><var class="Va">count</var></dt> + <dd>Number of entries present in the <code class="Nm">syncache</code> + (read-only).</dd> + <dt id="see_other"><var class="Va">see_other</var></dt> + <dd>If set to true value, all <code class="Nm">syncache</code> entries will be + visible via <var class="Va">net.inet.tcp.pcblist</var> sysctl, or via + <a class="Xr">netstat(1)</a>, ignoring all of + <a class="Xr">security(7)</a> UID/GID, <a class="Xr">jail(2)</a> and + <a class="Xr">mac(4)</a> checks. If turned off, the visibility checks are + enforced. However, extra <a class="Xr">ucred(9)</a> referencing is + required on every incoming SYN packet processed. The default is off.</dd> + <dt id="rst_on_sock_fail"><var class="Va">rst_on_sock_fail</var></dt> + <dd>Send a TCP RST segment if the socket allocation fails. The default is + on.</dd> +</dl> +<p class="Pp">Statistics on the performance of the + <code class="Nm">syncache</code> may be obtained via + <a class="Xr">netstat(1)</a>, which provides the following counts:</p> +<dl class="Bl-tag"> + <dt id="syncache"><a class="permalink" href="#syncache"><code class="Li">syncache + entries added</code></a></dt> + <dd>Entries successfully inserted in the + <code class="Nm">syncache</code>.</dd> + <dt id="retransmitted"><a class="permalink" href="#retransmitted"><code class="Li">retransmitted</code></a></dt> + <dd>SYN,ACK retransmissions due to a timeout expiring.</dd> + <dt id="dupsyn"><a class="permalink" href="#dupsyn"><code class="Li">dupsyn</code></a></dt> + <dd>Incoming SYN segment matching an existing entry.</dd> + <dt id="dropped"><a class="permalink" href="#dropped"><code class="Li">dropped</code></a></dt> + <dd>SYNs dropped because SYN,ACK could not be sent.</dd> + <dt id="completed"><a class="permalink" href="#completed"><code class="Li">completed</code></a></dt> + <dd>Successfully completed connections.</dd> + <dt id="bucket"><a class="permalink" href="#bucket"><code class="Li">bucket + overflow</code></a></dt> + <dd>Entries dropped for exceeding per-bucket size.</dd> + <dt id="cache"><a class="permalink" href="#cache"><code class="Li">cache + overflow</code></a></dt> + <dd>Entries dropped for exceeding overall cache size.</dd> + <dt id="reset"><a class="permalink" href="#reset"><code class="Li">reset</code></a></dt> + <dd>RST segment received.</dd> + <dt id="stale"><a class="permalink" href="#stale"><code class="Li">stale</code></a></dt> + <dd>Entries dropped due to maximum retransmissions or listen socket + disappearance.</dd> + <dt id="aborted"><a class="permalink" href="#aborted"><code class="Li">aborted</code></a></dt> + <dd>New socket allocation failures.</dd> + <dt id="badack"><a class="permalink" href="#badack"><code class="Li">badack</code></a></dt> + <dd>Entries dropped due to bad ACK reply.</dd> + <dt id="unreach"><a class="permalink" href="#unreach"><code class="Li">unreach</code></a></dt> + <dd>Entries dropped due to ICMP unreachable messages.</dd> + <dt id="zone"><a class="permalink" href="#zone"><code class="Li">zone + failures</code></a></dt> + <dd>Failures to allocate new <code class="Nm">syncache</code> entry.</dd> + <dt id="cookies"><a class="permalink" href="#cookies"><code class="Li">cookies + sent</code></a></dt> + <dd>SYN cookies sent in SYN ACK segments.</dd> + <dt id="cookies~2"><a class="permalink" href="#cookies~2"><code class="Li">cookies + received</code></a></dt> + <dd>ACK segments with valid syncookies which resulted in TCP connection + establishment.</dd> + <dt id="spurious"><a class="permalink" href="#spurious"><code class="Li">spurious + cookies rejected</code></a></dt> + <dd>Received ACKs, for which the syncache lookup failed and also no syncookie + was recently sent.</dd> + <dt id="failed"><a class="permalink" href="#failed"><code class="Li">failed + cookies rejected</code></a></dt> + <dd>Received ACKs for which the syncookie validation failed.</dd> +</dl> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">netstat(1)</a>, <a class="Xr">jail(2)</a>, + <a class="Xr">mac(4)</a>, <a class="Xr">tcp(4)</a>, + <a class="Xr">security(7)</a>, <a class="Xr">loader(8)</a>, + <a class="Xr">sysctl(8)</a>, <a class="Xr">ucred(9)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">The existing <code class="Nm">syncache</code> implementation first + appeared in <span class="Ux">FreeBSD 4.5</span>. The original concept of a + <code class="Nm">syncache</code> originally appeared in + <span class="Ux">BSD/OS</span>, and was later modified by + <span class="Ux">NetBSD</span>, then further extended here.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> +<p class="Pp">The <code class="Nm">syncache</code> code and manual page were + written by <span class="An">Jonathan Lemon</span> + <<a class="Mt" href="mailto:jlemon@FreeBSD.org">jlemon@FreeBSD.org</a>>.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">August 30, 2025</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |