On 16.07.2013 13:32, Loganaden Velvindron wrote:
On Thu, Jul 11, 2013 at 10:36:22AM +0200, Andre Oppermann wrote:
On 10.07.2013 15:18, Fabian Keil wrote:
Andre Oppermann <an...@freebsd.org> wrote:
We have a SYN cookie implementation for quite some time now but it
has some limitations with current realities for window scaling and
SACK encoding the in the few available bits.
This patch updates and improves SYN cookies mainly by:
a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN
(initial sequence number) without the use of timestamp bits.
b) switching to the very fast and cryptographically strong SipHash-2-4
hash MAC algorithm to protect the SYN cookie against forgery.
The patch had been reviewed by dwmalone (cookies) and cperciva (siphash).
Please find it here for testing:
http://people.freebsd.org/~andre/syncookie-20130708.diff
I've been using the patch for a couple of days and didn't notice any
issues so far. Privoxy's regression tests continue to work as expected
as well.
Thanks for testing and reporting back.
We are currently downloading FreeBSD -current snapshot for testing.
Unfortunately, we've been hit by a number of SYN flood attacks recently,
and your patch looks very promising.
It should help a lot.
Would there be interest in reviewing backported patched for 9.x release ?
A backport should be straight forward. I currently can't commit it because
of feature freeze for the upcoming 9.2 release cycle. Once the 9.2 branch
has been created I'll do the MFC to 9-stable.
--
Andre
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
