Improved SYN Cookies: Looking for testers

Andre Oppermann andre at
Tue Jul 16 13:58:56 UTC 2013

On 16.07.2013 13:32, Loganaden Velvindron wrote:
> On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote:
>> On 10.07.2013 15:18, Fabian Keil wrote:
>>> Andre Oppermann <andre at> wrote:
>>>> We have a SYN cookie implementation for quite some time now but it
>>>> has some limitations with current realities for window scaling and
>>>> SACK encoding the in the few available bits.
>>>> This patch updates and improves SYN cookies mainly by:
>>>>    a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN
>>>>       (initial sequence number) without the use of timestamp bits.
>>>>    b) switching to the very fast and cryptographically strong SipHash-2-4
>>>>       hash MAC algorithm to protect the SYN cookie against forgery.
>>>> The patch had been reviewed by dwmalone (cookies) and cperciva (siphash).
>>>> Please find it here for testing:
>>> I've been using the patch for a couple of days and didn't notice any
>>> issues so far. Privoxy's regression tests continue to work as expected
>>> as well.
>> Thanks for testing and reporting back.
> We are currently downloading FreeBSD -current snapshot for testing.
> Unfortunately, we've been hit by a number of SYN flood attacks recently,
> and your patch looks very promising.

It should help a lot.

> Would there be interest in reviewing backported patched for 9.x release ?

A backport should be straight forward.  I currently can't commit it because
of feature freeze for the upcoming 9.2 release cycle.  Once the 9.2 branch
has been created I'll do the MFC to 9-stable.


More information about the freebsd-net mailing list