Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 16 Jul 2013 15:58:45 +0200
From:      Andre Oppermann <andre@freebsd.org>
To:        Loganaden Velvindron <logan@elandsys.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Improved SYN Cookies: Looking for testers
Message-ID:  <51E55195.6000205@freebsd.org>
In-Reply-To: <20130716113249.GA6638@mx.elandsys.com>
References:  <51DA68B8.6070201@freebsd.org> <20130710151821.5a8cf38a@fabiankeil.de> <51DE6E86.6080707@freebsd.org> <20130716113249.GA6638@mx.elandsys.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 16.07.2013 13:32, Loganaden Velvindron wrote:
> On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote:
>> On 10.07.2013 15:18, Fabian Keil wrote:
>>> Andre Oppermann <andre@freebsd.org> wrote:
>>>
>>>> We have a SYN cookie implementation for quite some time now but it
>>>> has some limitations with current realities for window scaling and
>>>> SACK encoding the in the few available bits.
>>>>
>>>> This patch updates and improves SYN cookies mainly by:
>>>>
>>>>    a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN
>>>>       (initial sequence number) without the use of timestamp bits.
>>>>
>>>>    b) switching to the very fast and cryptographically strong SipHash-2-4
>>>>       hash MAC algorithm to protect the SYN cookie against forgery.
>>>>
>>>> The patch had been reviewed by dwmalone (cookies) and cperciva (siphash).
>>>>
>>>> Please find it here for testing:
>>>>
>>>>    http://people.freebsd.org/~andre/syncookie-20130708.diff
>>>
>>> I've been using the patch for a couple of days and didn't notice any
>>> issues so far. Privoxy's regression tests continue to work as expected
>>> as well.
>>
>> Thanks for testing and reporting back.
>
> We are currently downloading FreeBSD -current snapshot for testing.
>
> Unfortunately, we've been hit by a number of SYN flood attacks recently,
> and your patch looks very promising.

It should help a lot.

> Would there be interest in reviewing backported patched for 9.x release ?

A backport should be straight forward.  I currently can't commit it because
of feature freeze for the upcoming 9.2 release cycle.  Once the 9.2 branch
has been created I'll do the MFC to 9-stable.

-- 
Andre




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51E55195.6000205>