On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote: > On 10.07.2013 15:18, Fabian Keil wrote: > >Andre Oppermann <an...@freebsd.org> wrote: > > > >>We have a SYN cookie implementation for quite some time now but it > >>has some limitations with current realities for window scaling and > >>SACK encoding the in the few available bits. > >> > >>This patch updates and improves SYN cookies mainly by: > >> > >> a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN > >> (initial sequence number) without the use of timestamp bits. > >> > >> b) switching to the very fast and cryptographically strong SipHash-2-4 > >> hash MAC algorithm to protect the SYN cookie against forgery. > >> > >>The patch had been reviewed by dwmalone (cookies) and cperciva (siphash). > >> > >>Please find it here for testing: > >> > >> http://people.freebsd.org/~andre/syncookie-20130708.diff > > > >I've been using the patch for a couple of days and didn't notice any > >issues so far. Privoxy's regression tests continue to work as expected > >as well. > > Thanks for testing and reporting back.
We are currently downloading FreeBSD -current snapshot for testing. Unfortunately, we've been hit by a number of SYN flood attacks recently, and your patch looks very promising. Would there be interest in reviewing backported patched for 9.x release ? > > Could you test with net.inet.tcp.log_debug and net.inet.tcp.syncookies_only=1 > as well to bypass the syn cache entirely? > > It will give a bit of debug log output which is it telling you mostly about > rounding to the next nearest index value. You can send the output privately > to me to spot unexpected outliers, if any. > > >BTW, I think kern/173309 could be closed. > > OK. > > -- > Andre > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
