Date: Sun, 23 Feb 2003 11:04:23 -0800 (PST) From: Mike Silbersack <silby@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet tcp_syncache.c Message-ID: <200302231904.h1NJ4NCu094049@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
silby 2003/02/23 11:04:23 PST
Modified files:
sys/netinet tcp_syncache.c
Log:
Improve the security and performance of syncookies:
Security improvements:
- Increase the size of each syncookie secret from 32 to 128 bits
in order to make brute force attacks on the secrets much more
difficult.
- Always return the lowest order dword from the MD5 hash; this
allows us to expose 2 more bits of the cookie and makes ACK
floods which seek to guess the cookie value more difficult.
Performance improvements:
- Increase the lifetime of each syncookie from 4 seconds to 16
seconds. This increases the usefulness of syncookies during
an attack.
- From Yahoo!: Reduce the number of calls to MD5Update; this
results in a ~17% increase in cookie generation time here.
Reviewed by: hsu, jayanth, jlemon, nectar
MFC After: 15 seconds
Revision Changes Path
1.38 +47 -26 src/sys/netinet/tcp_syncache.c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302231904.h1NJ4NCu094049>