Improved SYN Cookies: Looking for testers
Loganaden Velvindron
logan at elandsys.com
Tue Jul 16 11:32:54 UTC 2013
On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote:
> On 10.07.2013 15:18, Fabian Keil wrote:
> >Andre Oppermann <andre at freebsd.org> wrote:
> >
> >>We have a SYN cookie implementation for quite some time now but it
> >>has some limitations with current realities for window scaling and
> >>SACK encoding the in the few available bits.
> >>
> >>This patch updates and improves SYN cookies mainly by:
> >>
> >> a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN
> >> (initial sequence number) without the use of timestamp bits.
> >>
> >> b) switching to the very fast and cryptographically strong SipHash-2-4
> >> hash MAC algorithm to protect the SYN cookie against forgery.
> >>
> >>The patch had been reviewed by dwmalone (cookies) and cperciva (siphash).
> >>
> >>Please find it here for testing:
> >>
> >> http://people.freebsd.org/~andre/syncookie-20130708.diff
> >
> >I've been using the patch for a couple of days and didn't notice any
> >issues so far. Privoxy's regression tests continue to work as expected
> >as well.
>
> Thanks for testing and reporting back.
We are currently downloading FreeBSD -current snapshot for testing.
Unfortunately, we've been hit by a number of SYN flood attacks recently,
and your patch looks very promising.
Would there be interest in reviewing backported patched for 9.x release ?
>
> Could you test with net.inet.tcp.log_debug and net.inet.tcp.syncookies_only=1
> as well to bypass the syn cache entirely?
>
> It will give a bit of debug log output which is it telling you mostly about
> rounding to the next nearest index value. You can send the output privately
> to me to spot unexpected outliers, if any.
>
> >BTW, I think kern/173309 could be closed.
>
> OK.
>
> --
> Andre
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list