From owner-cvs-all Tue Dec 18 22:12:21 2001 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9359137B419; Tue, 18 Dec 2001 22:12:14 -0800 (PST) Received: (from jlemon@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBJ6CE264053; Tue, 18 Dec 2001 22:12:14 -0800 (PST) (envelope-from jlemon) Message-Id: <200112190612.fBJ6CE264053@freefall.freebsd.org> From: Jonathan Lemon Date: Tue, 18 Dec 2001 22:12:14 -0800 (PST) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet tcp_syncache.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG jlemon 2001/12/18 22:12:14 PST Modified files: sys/netinet tcp_syncache.c Log: Extend the SYN DoS defense by adding syncookies to the syncache. All TCP ISNs that are sent out are valid cookies, which allows entries in the syncache to be dropped and still have the ACK accepted later. As all entries pass through the syncache, there is no sudden switchover from cache -> cookies when the cache is full; instead, syncache entries simply have a reduced lifetime. More details may be found in the "Resisting DoS attacks with a SYN cache" paper in the Usenix BSDCon 2002 conference proceedings. Sponsored by: DARPA, NAI Labs Revision Changes Path 1.6 +193 -14 src/sys/netinet/tcp_syncache.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message