From owner-freebsd-net@FreeBSD.ORG Tue Jul 16 11:32:54 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4451D7D; Tue, 16 Jul 2013 11:32:54 +0000 (UTC) (envelope-from logan@elandsys.com) Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id F0A45F2C; Tue, 16 Jul 2013 11:32:53 +0000 (UTC) Received: from mx.elandsys.com (IDENT:logan@localhost [127.0.0.1]) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r6GBWnRr019830 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Jul 2013 04:32:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1373974371; bh=3vVTiCkSw8R7ULCp7d7myCauAPH6KemGqP6QjWDUi2M=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=CGxrzx6y3d3tiNijL41MVhj+7A52tEIlosnKCTux15pNjQE5uut19Zub02RWUOBJE FXyrX9yFtCAnOrMrxqGfTjLwa4Bl0m2fmbVU/WDxy0/cOsJT5fwiLAL9bTSYk4jDS6 DqSP59GHvJEpH+jvHEcysP2Ly+i9NydXldD/f6CY= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1373974371; i=@elandsys.com; bh=3vVTiCkSw8R7ULCp7d7myCauAPH6KemGqP6QjWDUi2M=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=JKo89K5oBT0eOmNWSU+kxP7QmpS/zZ7p9Ns1RrYqQvQEzrsvIyQPz2nNh+fBGgXV+ Sr8ZxaQWDhfT4WuprSAAuJepqSkz5e+yA2Shr5Au1Bch9wXHfsB8DEutXRG/sjx+rm u2a8hBy76L8OPKNIAEmBjSHoOjVwkfilskq3Gjzo= Received: (from logan@localhost) by mx.elandsys.com (8.14.5/8.14.5/Submit) id r6GBWn7t023718; Tue, 16 Jul 2013 04:32:49 -0700 (PDT) X-Authentication-Warning: mx.elandsys.com: logan set sender to logan@elandsys.com using -f Date: Tue, 16 Jul 2013 04:32:49 -0700 From: Loganaden Velvindron To: Andre Oppermann Subject: Re: Improved SYN Cookies: Looking for testers Message-ID: <20130716113249.GA6638@mx.elandsys.com> References: <51DA68B8.6070201@freebsd.org> <20130710151821.5a8cf38a@fabiankeil.de> <51DE6E86.6080707@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <51DE6E86.6080707@freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jul 2013 11:32:54 -0000 On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote: > On 10.07.2013 15:18, Fabian Keil wrote: > >Andre Oppermann wrote: > > > >>We have a SYN cookie implementation for quite some time now but it > >>has some limitations with current realities for window scaling and > >>SACK encoding the in the few available bits. > >> > >>This patch updates and improves SYN cookies mainly by: > >> > >> a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN > >> (initial sequence number) without the use of timestamp bits. > >> > >> b) switching to the very fast and cryptographically strong SipHash-2-4 > >> hash MAC algorithm to protect the SYN cookie against forgery. > >> > >>The patch had been reviewed by dwmalone (cookies) and cperciva (siphash). > >> > >>Please find it here for testing: > >> > >> http://people.freebsd.org/~andre/syncookie-20130708.diff > > > >I've been using the patch for a couple of days and didn't notice any > >issues so far. Privoxy's regression tests continue to work as expected > >as well. > > Thanks for testing and reporting back. We are currently downloading FreeBSD -current snapshot for testing. Unfortunately, we've been hit by a number of SYN flood attacks recently, and your patch looks very promising. Would there be interest in reviewing backported patched for 9.x release ? > > Could you test with net.inet.tcp.log_debug and net.inet.tcp.syncookies_only=1 > as well to bypass the syn cache entirely? > > It will give a bit of debug log output which is it telling you mostly about > rounding to the next nearest index value. You can send the output privately > to me to spot unexpected outliers, if any. > > >BTW, I think kern/173309 could be closed. > > OK. > > -- > Andre > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"