On Tue, Jun 07, 2016 at 09:35:39AM +0200, Peter J. Philipp wrote:
> On 06/06/16 21:57, Claudio Jeker wrote:
> > OpenBSD uses the syncache for TCP sockets in the 3 way handshake to save a
> > lot of work to create a full socket in case of synfloods, etc.
> > These unhatched sockets do not show up in the netstat output. Maybe they
> > should be added but this is the first request that asks for them in the
> > 10+ years we use the syncache.
> >
>
> Thanks for the history of this Claudio. I am not really asking for them
> I just wanted to know where they went. It's good to know that a
> LISTENING tcp socket goes directly to ESTABLISHED in OpenBSD. I would
> have another question though. How would an administrator tell I'm
> getting SYN flooded without the hunch that something is going on and
> jumping on tcpdump and doing packet accounting? How would you determine
> a syn flood?
>
There are some counters in netstat -sptcp output. In particular:
532358 SYN packets dropped due to queue or memory full
770174566 SYN cache entries added
0 hash collisions
768118448 completed
6 aborted (no space to build PCB)
905577 timed out
0 dropped due to overflow
0 dropped due to bucket overflow
1150155 dropped due to RST
0 dropped due to ICMP unreachable
7036108 SYN,ACKs retransmitted
13117384 duplicate SYNs received for entries already in the cache
2580 SYNs dropped (no route or no space)
In syn floods hash collisions, and overflow drops will increase a lot.
As you can see in normal operation those counters are normally 0.
--
:wq Claudio
