Find the answer to your Linux question:
Results 1 to 3 of 3
Hi guys, I have written a new method to implement syncookie to defend DDOS, I have test the performance of generating and checking cookie which is 50 times more quicker ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2007
    Posts
    4

    a new method to realize syncookie


    Hi guys, I have written a new method to implement syncookie to defend DDOS,
    I have test the performance of generating and checking cookie which is 50 times more quicker than the standard method.

    on my vmware running on P4 1.7G thinkpad, it generates 100,000,000 cookies in 11 seconds while the standard method takes 26 seconds to do 5,000,000 times SHA1 encryptions. The standard method would takes more time to generate/check cookie as SHA1 encryption is just one of its steps to generate cookie. So in terms of efficiency, my method would be more than 50 times better than the standard way.

    I have tested it on 2.6.20-18, but I have no environment to simulate DDOS(I have only one notebook ). I post my code here and hope if someone is interested and will do some pressure test on it. Any suggestion will be highly appreciated! pls contact me on high.lin@gmail.com if you would like to discuss it with me
    Attached Files Attached Files

  2. #2
    Just Joined!
    Join Date
    Sep 2007
    Posts
    4

    how to use it:

    I have only tested it on 2.6.20-18

    1: replace linux-2.6.20.18/net/ipv4/syncookie.c with my one
    2: compile new kernel with syncookie support
    3: echo n >/proc/sys/net/ipv4/tcp_syncookie
    if n=1 then you choose to use the standard method of syncookie,
    n>1 you choose to use my new method. n means to re-generate the 1024 byte secret in n seconds

    pls set n to a high value, saying 300 to reduce overhead of re-creating the secret

  3. #3
    Just Joined!
    Join Date
    Sep 2007
    Posts
    4

    the good and the bad

    the good:
    great performance comparing to the standard way of linux kernel

    the bad:
    1: ignore all tcp options
    2: isn is totally random, so it doesn't comply to the tcp/ip specification
    3: the legal connection will be reset if its ack hasn't been received before the new secret generates
    4: not sure if my way to generate cookie/isn is weak? I think it should be fine. and anyway, we can choose how frequently to re-generate the secret.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •