a new method to realize syncookie

[au_hank]

Hi guys, I have written a new method to implement syncookie to defend DDOS,
I have test the performance of generating and checking cookie which is 50 times more quicker than the standard method.

on my vmware running on P4 1.7G thinkpad, it generates 100,000,000 cookies in 11 seconds while the standard method takes 26 seconds to do 5,000,000 times SHA1 encryptions. The standard method would takes more time to generate/check cookie as SHA1 encryption is just one of its steps to generate cookie. So in terms of efficiency, my method would be more than 50 times better than the standard way.

I have tested it on 2.6.20-18, but I have no environment to simulate DDOS(I have only one notebook ). I post my code here and hope if someone is interested and will do some pressure test on it. Any suggestion will be highly appreciated! pls contact me on high.lin@gmail.com if you would like to discuss it with me

[au_hank]

I have only tested it on 2.6.20-18

1: replace linux-2.6.20.18/net/ipv4/syncookie.c with my one
2: compile new kernel with syncookie support
3: echo n >/proc/sys/net/ipv4/tcp_syncookie
if n=1 then you choose to use the standard method of syncookie,
n>1 you choose to use my new method. n means to re-generate the 1024 byte secret in n seconds

pls set n to a high value, saying 300 to reduce overhead of re-creating the secret

[au_hank]

the good:
great performance comparing to the standard way of linux kernel

the bad:
1: ignore all tcp options
2: isn is totally random, so it doesn't comply to the tcp/ip specification
3: the legal connection will be reset if its ack hasn't been received before the new secret generates
4: not sure if my way to generate cookie/isn is weak? I think it should be fine. and anyway, we can choose how frequently to re-generate the secret.