Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 20 Dec 2001 02:28:42 -0500 (EST)
From:      Mike Silbersack <silby@silby.com>
To:        Jonathan Lemon <jlemon@FreeBSD.org>
Cc:        <cvs-committers@FreeBSD.org>, <cvs-all@FreeBSD.org>
Subject:   Re: cvs commit: src/sys/netinet tcp_syncache.c
Message-ID:  <Pine.BSF.4.30.0112200219160.74187-100000@niwun.pair.com>
In-Reply-To: <200112190612.fBJ6CE264053@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Tue, 18 Dec 2001, Jonathan Lemon wrote:

> jlemon      2001/12/18 22:12:14 PST
>
>   Modified files:
>     sys/netinet          tcp_syncache.c
>   Log:
>   Extend the SYN DoS defense by adding syncookies to the syncache.
>   All TCP ISNs that are sent out are valid cookies, which allows entries
>   in the syncache to be dropped and still have the ACK accepted later.
>   As all entries pass through the syncache, there is no sudden switchover
>   from cache -> cookies when the cache is full; instead, syncache entries
>   simply have a reduced lifetime.  More details may be found in the
>   "Resisting DoS attacks with a SYN cache" paper in the Usenix BSDCon 2002
>   conference proceedings.

Hm, I have a question about this change:  Isn't using md5 for every
outgoing packet going to eat a lot of cpu time?  I think it might be a
more reasonable heuristic to change to md5 generation only when the syn
cache is more than half full and use arc4random at other times; this would
use less cpu in the common case, but provide the cookie support when it is
needed most.  (It'd also reduce my fears that someone might try some brute
force attacks on the cookies.)

For the hash function itself... perhaps part of the seq # the other end
has sent should be incorporated in the hash?  I think that with this
scheme, we'd get duplicate syn-acks generated by different syns.

Also, tcp_syncookies should probably unconditionally force a change back
to arc4random() generation when disabled, given that it also disregards
late arriving ack cookie responses.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.30.0112200219160.74187-100000>