From owner-freebsd-net@FreeBSD.ORG Tue Jul 16 13:58:56 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8BEAC27A for ; Tue, 16 Jul 2013 13:58:56 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id 036A4892 for ; Tue, 16 Jul 2013 13:58:55 +0000 (UTC) Received: (qmail 85230 invoked from network); 16 Jul 2013 14:48:29 -0000 Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 16 Jul 2013 14:48:29 -0000 Message-ID: <51E55195.6000205@freebsd.org> Date: Tue, 16 Jul 2013 15:58:45 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Loganaden Velvindron Subject: Re: Improved SYN Cookies: Looking for testers References: <51DA68B8.6070201@freebsd.org> <20130710151821.5a8cf38a@fabiankeil.de> <51DE6E86.6080707@freebsd.org> <20130716113249.GA6638@mx.elandsys.com> In-Reply-To: <20130716113249.GA6638@mx.elandsys.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jul 2013 13:58:56 -0000 On 16.07.2013 13:32, Loganaden Velvindron wrote: > On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote: >> On 10.07.2013 15:18, Fabian Keil wrote: >>> Andre Oppermann wrote: >>> >>>> We have a SYN cookie implementation for quite some time now but it >>>> has some limitations with current realities for window scaling and >>>> SACK encoding the in the few available bits. >>>> >>>> This patch updates and improves SYN cookies mainly by: >>>> >>>> a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN >>>> (initial sequence number) without the use of timestamp bits. >>>> >>>> b) switching to the very fast and cryptographically strong SipHash-2-4 >>>> hash MAC algorithm to protect the SYN cookie against forgery. >>>> >>>> The patch had been reviewed by dwmalone (cookies) and cperciva (siphash). >>>> >>>> Please find it here for testing: >>>> >>>> http://people.freebsd.org/~andre/syncookie-20130708.diff >>> >>> I've been using the patch for a couple of days and didn't notice any >>> issues so far. Privoxy's regression tests continue to work as expected >>> as well. >> >> Thanks for testing and reporting back. > > We are currently downloading FreeBSD -current snapshot for testing. > > Unfortunately, we've been hit by a number of SYN flood attacks recently, > and your patch looks very promising. It should help a lot. > Would there be interest in reviewing backported patched for 9.x release ? A backport should be straight forward. I currently can't commit it because of feature freeze for the upcoming 9.2 release cycle. Once the 9.2 branch has been created I'll do the MFC to 9-stable. -- Andre