For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Juan_Ojeda_2939's avatar
Juan_Ojeda_2939
Icon for Nimbostratus rankNimbostratus
Dec 15, 2016

Syncookie threshold 16384 exceeded

Friends: I am receiving quite a few "Syncookie threshold" logs, according to the literature that finds this value can be modified but does not say why. The strange thing is that most of the logs affe...
LTM
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Dec 16, 2016

Hi Juan,

 

the Syncookie messages are caused by too much ongoing 3-way TCP-handshakes.

 

Unless you're hosting a very impressive application with a couple ten-thousand new TCP-sessions each second and/or with a huge network RRT latency, this is either a indicator that you're a victim of an ongoing TCP-SynFlood attack or that your network/routing infrastructure is more or less asymetric connected, so that the initial TCP-SYN packets can be received by your LTM, but the TCP-Handshake cannot complete successfully after.

 

I think you have to use a network monitor to find out the source of the TCP-SYN flood, to know the cause of the error messages. But keep in mind, that the SRC-IPs of the received SYN packets may be already spoofed.

 

Note: The error message is more or less a informational message to display you that the F5 has switched from the regular TCP backlog-queue based session tracking behavior (required RAM to track the individual connections) to a cryptografic tracking behavior (requires just CPU instead of RAM)

 

Cheers, Kai