Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Feb 2003 11:04:23 -0800 (PST)
From:      Mike Silbersack <silby@FreeBSD.org>
To:        src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: src/sys/netinet tcp_syncache.c
Message-ID:  <200302231904.h1NJ4NCu094049@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
silby       2003/02/23 11:04:23 PST

  Modified files:
    sys/netinet          tcp_syncache.c 
  Log:
  Improve the security and performance of syncookies:
  
  Security improvements:
  - Increase the size of each syncookie secret from 32 to 128 bits
    in order to make brute force attacks on the secrets much more
    difficult.
  - Always return the lowest order dword from the MD5 hash; this
    allows us to expose 2 more bits of the cookie and makes ACK
    floods which seek to guess the cookie value more difficult.
  
  Performance improvements:
  - Increase the lifetime of each syncookie from 4 seconds to 16
    seconds.  This increases the usefulness of syncookies during
    an attack.
  - From Yahoo!: Reduce the number of calls to MD5Update; this
    results in a ~17% increase in cookie generation time here.
  
  Reviewed by:    hsu, jayanth, jlemon, nectar
  MFC After:      15 seconds
  
  Revision  Changes    Path
  1.38      +47 -26    src/sys/netinet/tcp_syncache.c

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302231904.h1NJ4NCu094049>