Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Improved SYN cookies feature merged into FreeBSD-10

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    2 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhatz
      last edited by

      I wonder if this new syncookies implementation could be used to enhance pf's "synproxy" feature ? … (afaik synproxy currently results in bad performance, as a connection created via a pf synproxy rule will not support window scaling, SACK, timestamps etc)

      http://lists.freebsd.org/pipermail/svn-src-all/2013-July/071715.html

      Author: andre
      Date: Thu Jul 11 15:29:25 2013
      New Revision: 253210
      URL: http://svnweb.freebsd.org/changeset/base/253210

      Log:
        Improve SYN cookies by encoding the MSS, WSCALE (window scaling) and SACK
        information into the ISN (initial sequence number) without the additional
        use of timestamp bits and switching to the very fast and cryptographically
        strong SipHash-2-4 MAC hash algorithm to protect the SYN cookie against
        forgeries.
       
        The purpose of SYN cookies is to encode all necessary session state in
        the 32 bits of our initial sequence number to avoid storing any information
        locally in memory.  This is especially important when under heavy spoofed
        SYN attacks where we would either run out of memory or the syncache would
        fill with bogus connection attempts swamping out legitimate connections.
       
        The original SYN cookies method only stored an indexed MSS values in the
        cookie.  This isn't sufficient anymore and breaks down in the presence of
        WSCALE information which is only exchanged during SYN and SYN-ACK.  If we
        can't keep track of it then we may severely underestimate the available
        send or receive window. This is compounded with large windows whose size
        information on the TCP segment header is even lower numerically.  A number
        of years back SYN cookies were extended to store the additional state in
        the TCP timestamp fields, if available on a connection.  While timestamps
        are common among the BSD, Linux and other *nix systems Windows never enabled
        them by default and thus are not present for the vast majority of clients
        seen on the Internet.
       
        The common parameters used on TCP sessions have changed quite a bit since
        SYN cookies very invented some 17 years ago.  Today we have a lot more
        bandwidth available making the use window scaling almost mandatory.  Also
        SACK has become standard making recovering from packet loss much more
        efficient.
       
        This change moves all necessary information into the ISS removing the need
        for timestamps.  Both the MSS (16 bits) and send WSCALE (4 bits) are stored
        in 3 bit indexed form together with a single bit for SACK.  While this is
        significantly less than the original range, it is sufficient to encode all
        common values with minimal rounding.
       
        The MSS depends on the MTU of the path and with the dominance of ethernet
        the main value seen is around 1460 bytes.  Encapsulations for DSL lines
        and some other overheads reduce it by a few more bytes for many connections
        seen.  Rounding down to the next lower value in some cases isn't a problem
        as we send only slightly more packets for the same amount of data.
       
        The send WSCALE index is bit more tricky as rounding down under-estimates
        the available send space available towards the remote host, however a small
        number values dominate and are carefully selected again.
       
        The receive WSCALE isn't encoded at all but recalculated based on the local
        receive socket buffer size when a valid SYN cookie returns.  A listen socket
        buffer size is unlikely to change while active.
       
        The index values for MSS and WSCALE are selected for minimal rounding errors
        based on large traffic surveys.  These values have to be periodically
        validated against newer traffic surveys adjusting the arrays tcp_sc_msstab[]
        and tcp_sc_wstab[] if necessary.
       
        In addition the hash MAC to protect the SYN cookies is changed from MD5
        to SipHash-2-4, a much faster and cryptographically secure algorithm.
       
        Reviewed by: dwmalone
        Tested by: Fabian Keil

      PS: The author had also just merged an implementation of the SipHash cryptographically strong hash function, to be used by the new syncookies feature.

      1 Reply Last reply Reply Quote 0
      • L
        lowprofile
        last edited by

        Any news regarding this feature?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.