Date: Tue, 16 Jul 2013 15:58:45 +0200 From: Andre Oppermann <andre@freebsd.org> To: Loganaden Velvindron <logan@elandsys.com> Cc: freebsd-net@freebsd.org Subject: Re: Improved SYN Cookies: Looking for testers Message-ID: <51E55195.6000205@freebsd.org> In-Reply-To: <20130716113249.GA6638@mx.elandsys.com> References: <51DA68B8.6070201@freebsd.org> <20130710151821.5a8cf38a@fabiankeil.de> <51DE6E86.6080707@freebsd.org> <20130716113249.GA6638@mx.elandsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16.07.2013 13:32, Loganaden Velvindron wrote: > On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote: >> On 10.07.2013 15:18, Fabian Keil wrote: >>> Andre Oppermann <andre@freebsd.org> wrote: >>> >>>> We have a SYN cookie implementation for quite some time now but it >>>> has some limitations with current realities for window scaling and >>>> SACK encoding the in the few available bits. >>>> >>>> This patch updates and improves SYN cookies mainly by: >>>> >>>> a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN >>>> (initial sequence number) without the use of timestamp bits. >>>> >>>> b) switching to the very fast and cryptographically strong SipHash-2-4 >>>> hash MAC algorithm to protect the SYN cookie against forgery. >>>> >>>> The patch had been reviewed by dwmalone (cookies) and cperciva (siphash). >>>> >>>> Please find it here for testing: >>>> >>>> http://people.freebsd.org/~andre/syncookie-20130708.diff >>> >>> I've been using the patch for a couple of days and didn't notice any >>> issues so far. Privoxy's regression tests continue to work as expected >>> as well. >> >> Thanks for testing and reporting back. > > We are currently downloading FreeBSD -current snapshot for testing. > > Unfortunately, we've been hit by a number of SYN flood attacks recently, > and your patch looks very promising. It should help a lot. > Would there be interest in reviewing backported patched for 9.x release ? A backport should be straight forward. I currently can't commit it because of feature freeze for the upcoming 9.2 release cycle. Once the 9.2 branch has been created I'll do the MFC to 9-stable. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51E55195.6000205>