• Last 5 Forum Topics
    Last post

The Web Only This Site



  • MARC

    Mailing list ARChives
    - Search by -


    Computing Dictionary

  • Text Link Ads

  • LINUX man pages
  • Linux Man Page Viewer

    The following form allows you to view linux man pages.



         sysctl net.inet.tcp.syncookies_only
         sysctl net.inet.tcp.syncache.hashsize
         sysctl net.inet.tcp.syncache.bucketlimit
         sysctl net.inet.tcp.syncache.cachelimit
         sysctl net.inet.tcp.syncache.rexmtlimit
         sysctl net.inet.tcp.syncache.count


         The syncache sysctl(8) MIB is used to control the TCP SYN caching in the
         system, which is intended to handle SYN flood Denial of Service attacks.
         When a TCP SYN segment is received on a port corresponding to a listen
         socket, an entry is made in the syncache, and a SYN,ACK segment is
         returned to the peer.  The syncache entry holds the TCP options from the
         initial SYN, enough state to perform a SYN,ACK retransmission, and takes
         up less space than a TCP control block endpoint.  An incoming segment
         which contains an ACK for the SYN,ACK and matches a syncache entry will
         cause the system to create a TCP control block with the options stored in
         the syncache entry, which is then released.
         The syncache protects the system from SYN flood DoS attacks by minimizing
         the amount of state kept on the server, and by limiting the overall size
         of the syncache.
         Syncookies provides a way to virtually expand the size of the syncache by
         keeping state regarding the initial SYN in the network.  Enabling
         syncookies sends a cryptographic value in the SYN,ACK reply to the client
         machine, which is then returned in the client's ACK.  If the correspond-
         ing entry is not found in the syncache, but the value passes specific
         security checks, the connection will be accepted.  This is only used if
         the syncache is unable to handle the volume of incoming connections, and
         a prior entry has been evicted from the cache.
         Syncookies have a certain number of disadvantages that a paranoid admin-
         istrator may wish to take note of.  Since the TCP options from the ini-
         tial SYN are not saved, they are not applied to the connection, preclud-
         ing use of features like window scale, timestamps, or exact MSS sizing.
         As the returning ACK establishes the connection, it may be possible for
         an attacker to ACK flood a machine in an attempt to create a connection.
         While steps have been taken to mitigate this risk, this may provide a way
         to bypass firewalls which filter incoming segments with the SYN bit set.
         To disable the syncache and run only with syncookies, set
         net.inet.tcp.syncookies_only to 1.
         The syncache implements a number of variables in the
         net.inet.tcp.syncache branch of the sysctl(3) MIB.  Several of these may
         be tuned by setting the corresponding variable in the loader(8).
         hashsize     Size of the syncache hash table, must be a power of 2.
                      Read-only, tunable via loader(8).
         count        Number of entries present in the syncache (read-only).
         Statistics on the performance of the syncache may be obtained via
         netstat(1), which provides the following counts:
         syncache entries added
                           Entries successfully inserted in the syncache.
         retransmitted     SYN,ACK retransmissions due to a timeout expiring.
         dupsyn            Incoming SYN segment matching an existing entry.
         dropped           SYNs dropped because SYN,ACK could not be sent.
         completed         Successfully completed connections.
         bucket overflow   Entries dropped for exceeding per-bucket size.
         cache overflow    Entries dropped for exceeding overall cache size.
         reset             RST segment received.
         stale             Entries dropped due to maximum retransmissions or lis-
                           ten socket disappearance.
         aborted           New socket allocation failures.
         badack            Entries dropped due to bad ACK reply.
         unreach           Entries dropped due to ICMP unreachable messages.
         zone failures     Failures to allocate new syncache entry.
         cookies received  Connections created from segment containing ACK.


         netstat(1), tcp(4), loader(8), sysctl(8)


         The existing syncache implementation first appeared in FreeBSD 4.5.  The
         original concept of a syncache originally appeared in BSD/OS, and was
         later modified by NetBSD, then further extended here.


         The syncache code and manual page were written by Jonathan Lemon

    BSD January 22, 2008 BSD


  • Linux

    The Distributions


    The Software


    The News


  • Toll Free
Copyright © 1999 - 2016 by LinuxGuruz