{"id":21445022,"url":"https://github.com/ltd-beget/syncookied","last_synced_at":"2026-03-12T10:33:20.934Z","repository":{"id":43906058,"uuid":"66295501","full_name":"LTD-Beget/syncookied","owner":"LTD-Beget","description":"syn flood protection","archived":false,"fork":false,"pushed_at":"2017-05-29T16:26:19.000Z","size":296,"stargazers_count":316,"open_issues_count":10,"forks_count":44,"subscribers_count":21,"default_branch":"master","last_synced_at":"2025-04-09T18:17:52.507Z","etag":null,"topics":["flood-attacks","netmap","rust","syn-flood","tcp","traffic","traffic-filtering"],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LTD-Beget.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-08-22T17:55:46.000Z","updated_at":"2024-11-20T15:16:37.000Z","dependencies_parsed_at":"2022-09-17T06:51:28.895Z","dependency_job_id":null,"html_url":"https://github.com/LTD-Beget/syncookied","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LTD-Beget%2Fsyncookied","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LTD-Beget%2Fsyncookied/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LTD-Beget%2Fsyncookied/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LTD-Beget%2Fsyncookied/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LTD-Beget","download_url":"https://codeload.github.com/LTD-Beget/syncookied/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248085328,"owners_count":21045139,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["flood-attacks","netmap","rust","syn-flood","tcp","traffic","traffic-filtering"],"created_at":"2024-11-23T02:22:42.629Z","updated_at":"2026-03-12T10:33:15.889Z","avatar_url":"https://github.com/LTD-Beget.png","language":"Rust","readme":"syncookied\n==========\n\n![syncookied logo](https://beget.com/images/syncookied/ddos_beget.png)\n\n[![Build Status](https://travis-ci.org/LTD-Beget/syncookied.svg?branch=master)](https://travis-ci.org/LTD-Beget/syncookied)\n\n`syncookied` emulates linux kernel syncookie functionality by intercepting SYN packets\nand sending replies to them using the same cookie generation alghorithm. It can achieve\nbetter performance under SYN flood attacks thanks to kernel bypass (netmap).\n\nInstallation\n============\n\n1. Install rust (instructions here: https://www.rust-lang.org/en-US/downloads.html)\n2. Install `build-essential` and `libpcap-dev` or equivalent package for your distribution\n3. Install [netmap](https://github.com/luigirizzo/netmap). Make sure netmap.h / netmap_user.h can be found in /usr/include. Alternative you can point CFLAGS variable to their location: [example](https://github.com/LTD-Beget/syncookied/blob/master/.travis.yml).\n4. run `cargo build --release`, resulting binary will be found in target/release/syncookied. \n\nNote: we use [AVX](https://en.wikipedia.org/wiki/Advanced_Vector_Extensions)-accelerated SHA1 function by default. SSE3 implementation is also available under sse3 feature flag, i.e.:  `cargo build --features=sse3 --no-default-features --release`.\n\nHow to run\n==========\n\nOn server you want to protect\n------------------------------\n1. Install [tcpsecrets](https://github.com/LTD-Beget/tcpsecrets) linux kernel mode to expose tcp syncookie key and timestamp\n2. Start syncookied in `server` mode: `syncookied server \u003cproto://ip:port\u003e`. Running this \ncommands automatically starts a TCP or UDP server on specified ip/port and sets `net.ipv4.tcp_syncookies` to 2 on first request.\n\nOn server you want to use for packet processing\n-----------------------------------------------\n1. Install [netmap](https://github.com/luigirizzo/netmap) and make sure it works (pkt-gen)\n\n2. Disable NIC offloading features on the interface you want to use (eth2 here):\n\n   ```\n   ethtool -K eth2 gro off gso off tso off lro off rx off tx off \n   ethtool -A eth2 rx off tx off\n   ethtool -G eth2 rx 2048 tx 2048\n   ```\n\n3. Set up queues and affinities. Here we bind 12 queues to first 12 cpu cores:\n\n   ```\n   QUEUES=12\n   ethtool -L eth2 combined $QUEUES\n   ./set_irq_affinity -x 0-11 eth2\n   ```\n\n    set_irq_affinity is available at https://github.com/majek/ixgbe/blob/master/scripts/set_irq_affinity\n\n4. Create hosts.yml file in the working directory, which looks like this\n   ```\n   - ip: 185.50.25.4\n     secrets_addr: udp://192.168.3.231:1488\n     mac: 0c:c4:7a:6a:fa:bf\n   ```\nHere ip is external ip you want to protect, secrets_addr is the address of syncookied server running on protected host, and mac is its MAC address.\n\n5. Run `syncookied -i eth2`. It will print something like this:\n   ```\n   Configuration: 185.50.25.4 -\u003e c:c4:7a:6a:fa:bf\n   interfaces: [Rx: eth2/3c:fd:fe:9f:a8:82, Tx: eth2/3c:fd:fe:9f:a8:82] Cores: 24\n   12 Rx rings @ eth2, 12 Tx rings @ eth2 Queue: 1048576\n   Starting RX thread for ring 0 at eth2\n   Starting TX thread for ring 0 at eth2\n   Uptime reader for 185.50.25.4 starting\n   ...\n   ```\n6. Configure your network equipment to direct traffic for protected ip to syncookied.\n\n7. You can reload configuration at any time by changing hosts.yml and sending HUP signal to syncookied. \nIt will print something like this:\n\n   ```\n   Uptime reader for 185.50.25.4 exiting\n   All uptime readers dead\n   Old readers are dead, all hail to new readers\n   Uptime reader for 185.50.25.4 starting\n   ...\n   ```\n\n8. Enjoy your ddos protection\n\nNotes\n-----\n`syncookied` has some options you may want to tune, see `syncookied --help`.\nIf you have more than 1 interface on your server, you may want to look into -O to use second one for TX. \nThis greatly improves performance and latency as forwarding and syn-reply traffic is separated.\n\nTraffic filtering\n-----------------\nIt's possible to filter traffic by adding \"filters\" section to host configuration like this:\n```\n- ip: 185.50.25.4\n  secrets_addr: 127.0.0.1:1488\n  mac: 0c:c4:7a:6b:0a:78\n  filters:\n   tcp and dst port 53: drop\n   tcp and dst port 22: pass\n   default: pass\n```\nFilters are written in pcap syntax. Consult `pcap-filter(7)` for more information. \nDefault policy is \"pass\". It can be changed by using `default` key.\nNote that filtering happens on layer 4.\n\nTroubleshooting\n---------------\nPlease check the [FAQ](https://github.com/LTD-Beget/syncookied/wiki) before filing an issue.\n\nNeed help?\n----------\nJoin us on Telegram: https://telegram.me/syncookied\n\nPerformance\n===========\nsyncookied under 12.65 Mpps syn flood attack utilizing 12 cores of Xeon E5-2680v3:\n![syncookied perf](http://i.imgur.com/Y5HhQmh.png)\n\nLicense\n=======\n`syncookied` is distributed under the term of GPLv2.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fltd-beget%2Fsyncookied","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fltd-beget%2Fsyncookied","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fltd-beget%2Fsyncookied/lists"}