On 06/07/16 15:33, Claudio Jeker wrote: > On Tue, Jun 07, 2016 at 09:35:39AM +0200, Peter J. Philipp wrote: >> On 06/06/16 21:57, Claudio Jeker wrote: >>> OpenBSD uses the syncache for TCP sockets in the 3 way handshake to save a >>> lot of work to create a full socket in case of synfloods, etc. >>> These unhatched sockets do not show up in the netstat output. Maybe they >>> should be added but this is the first request that asks for them in the >>> 10+ years we use the syncache. >>> >> Thanks for the history of this Claudio. I am not really asking for them >> I just wanted to know where they went. It's good to know that a >> LISTENING tcp socket goes directly to ESTABLISHED in OpenBSD. I would >> have another question though. How would an administrator tell I'm >> getting SYN flooded without the hunch that something is going on and >> jumping on tcpdump and doing packet accounting? How would you determine >> a syn flood? >> > There are some counters in netstat -sptcp output. In particular: > 532358 SYN packets dropped due to queue or memory full > 770174566 SYN cache entries added > 0 hash collisions > 768118448 completed > 6 aborted (no space to build PCB) > 905577 timed out > 0 dropped due to overflow > 0 dropped due to bucket overflow > 1150155 dropped due to RST > 0 dropped due to ICMP unreachable > 7036108 SYN,ACKs retransmitted > 13117384 duplicate SYNs received for entries already in the cache > 2580 SYNs dropped (no route or no space) > > In syn floods hash collisions, and overflow drops will increase a lot. > As you can see in normal operation those counters are normally 0. >
Perfect! Thanks also to everyone else who replied. Cheers, -peter
