Synproxy Telegraf Input Plugin
Synproxy is a netfilter module included in Linux kernels since version 3.12. It's used to protect Transmission Control Protocol (TCP) servers from attacks such as SYN floods. A SYN flood is when an attacker repeatedly requests a connection with a server and does not finalize the connection. These unresolved connections can overload the server, which then becomes very slow or even shuts down. Synproxy acts as an intermediary and connects clients and servers only when a legitimate client sends a complete request. It passes valid connections through and stops attacks without affecting the server. You can use Synproxy with encrypted and unencrypted TCP traffic because it doesn't affect content.
Why use a Telegraf plugin for Synproxy?
The Synproxy Telegraf Input Plugin captures counters from Synproxy including invalid cookies, cookies retransmitted, valid cookies, entries, SYN received, and connections reopened. Using this plugin allows you to monitor the attacks that Synproxy stops from going through to your server. Knowing statistics like how many connections Synproxy intercepts gives you a more complete picture of your security status. In the event of a server attack, this information can help you investigate and stop future security problems.
How to monitor Synproxy using the Telegraf plugin
The Synproxy Telegraf Input Plugin is very simple to use as it doesn't require any configuration. You can use queries to monitor the performance of Synproxy on your network and analyze metrics such as the number of connections reopened per hour for the last day. This plugin makes it easy to keep track of metrics as you use Synproxy to protect your TCP server from SYN floods and other similar attacks.
Key Synproxy metrics to use for monitoring
Some of the important Synproxy metrics that you should proactively monitor include:
cookie_invalid(uint32, packets, counter) - Invalid cookies
cookie_retrans(uint32, packets, counter) - Cookies retransmitted
cookie_valid(uint32, packets, counter) - Valid cookies
entries(uint32, packets, counter) - Entries
syn_received(uint32, packets, counter) - SYN received
conn_reopened(uint32, packets, counter) - Connections reopened