Improved SYN Cookies: Looking for testers
Andre Oppermann
andre at freebsd.org
Tue Jul 16 13:58:56 UTC 2013
On 16.07.2013 13:32, Loganaden Velvindron wrote:
> On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote:
>> On 10.07.2013 15:18, Fabian Keil wrote:
>>> Andre Oppermann <andre at freebsd.org> wrote:
>>>
>>>> We have a SYN cookie implementation for quite some time now but it
>>>> has some limitations with current realities for window scaling and
>>>> SACK encoding the in the few available bits.
>>>>
>>>> This patch updates and improves SYN cookies mainly by:
>>>>
>>>> a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN
>>>> (initial sequence number) without the use of timestamp bits.
>>>>
>>>> b) switching to the very fast and cryptographically strong SipHash-2-4
>>>> hash MAC algorithm to protect the SYN cookie against forgery.
>>>>
>>>> The patch had been reviewed by dwmalone (cookies) and cperciva (siphash).
>>>>
>>>> Please find it here for testing:
>>>>
>>>> http://people.freebsd.org/~andre/syncookie-20130708.diff
>>>
>>> I've been using the patch for a couple of days and didn't notice any
>>> issues so far. Privoxy's regression tests continue to work as expected
>>> as well.
>>
>> Thanks for testing and reporting back.
>
> We are currently downloading FreeBSD -current snapshot for testing.
>
> Unfortunately, we've been hit by a number of SYN flood attacks recently,
> and your patch looks very promising.
It should help a lot.
> Would there be interest in reviewing backported patched for 9.x release ?
A backport should be straight forward. I currently can't commit it because
of feature freeze for the upcoming 9.2 release cycle. Once the 9.2 branch
has been created I'll do the MFC to 9-stable.
--
Andre
More information about the freebsd-net
mailing list