freebsd-nq/sys/netinet
Mike Silbersack a432399c56 Improve the security and performance of syncookies:
Security improvements:
- Increase the size of each syncookie secret from 32 to 128 bits
  in order to make brute force attacks on the secrets much more
  difficult.
- Always return the lowest order dword from the MD5 hash; this
  allows us to expose 2 more bits of the cookie and makes ACK
  floods which seek to guess the cookie value more difficult.

Performance improvements:
- Increase the lifetime of each syncookie from 4 seconds to 16
  seconds.  This increases the usefulness of syncookies during
  an attack.
- From Yahoo!: Reduce the number of calls to MD5Update; this
  results in a ~17% increase in cookie generation time here.

Reviewed by:	hsu, jayanth, jlemon, nectar
MFC After:	15 seconds
2003-02-23 19:04:23 +00:00
..
libalias Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup, 2003-01-01 18:49:04 +00:00
accf_data.c Remove so*_locked(), which were backed out by mistake. 2002-06-18 07:42:02 +00:00
accf_http.c Remove so*_locked(), which were backed out by mistake. 2002-06-18 07:42:02 +00:00
icmp6.h s/__attribute__((__packed__))/__packed/g 2002-09-23 06:25:08 +00:00
icmp_var.h Remove __P. 2002-03-19 21:25:46 +00:00
if_atm.c - Change the newly turned INVARIANTS #ifdef blocks (they were changed from 2002-05-21 18:52:24 +00:00
if_atm.h Remove __P. 2002-03-19 21:25:46 +00:00
if_ether.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
if_ether.h Fixed some style bugs in the removal of __P(()). Continuation lines 2002-03-24 10:19:10 +00:00
igmp_var.h Remove __P. 2002-03-19 21:25:46 +00:00
igmp.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
igmp.h
in_cksum.c
in_gif.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
in_gif.h last arg of in6?_gif_output() is not used any more. 2002-10-17 17:47:55 +00:00
in_pcb.c The ancient and outdated concept of "privileged ports" in UNIX-type 2003-02-21 05:28:27 +00:00
in_pcb.h Add a TCP TIMEWAIT state which uses less space than a fullblown TCP 2003-02-19 22:32:43 +00:00
in_proto.c Add a TCP TIMEWAIT state which uses less space than a fullblown TCP 2003-02-19 22:32:43 +00:00
in_rmx.c Get cosmetic changes out of the way before I add routing table SMP locks. 2003-02-10 22:01:34 +00:00
in_systm.h Remove __P. 2002-03-19 21:25:46 +00:00
in_var.h Fixed some style bugs in the removal of __P(()). Continuation lines 2002-03-24 10:19:10 +00:00
in.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
in.h Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup, 2003-01-01 18:49:04 +00:00
ip6.h s/__attribute__((__packed__))/__packed/g 2002-09-23 06:25:08 +00:00
ip_divert.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
ip_dummynet.c De-anonymity a couple of messages I missed in a previous sweep. 2003-01-20 13:03:34 +00:00
ip_dummynet.h o Trim EOL whitespaces. 2002-12-15 10:24:36 +00:00
ip_ecn.c initialize local variable explicitly 2002-04-11 02:14:21 +00:00
ip_ecn.h Remove __P. 2002-03-19 21:25:46 +00:00
ip_encap.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
ip_encap.h Remove __P. 2002-03-19 21:25:46 +00:00
ip_flow.c s/FREE/free/ 2001-11-04 17:35:31 +00:00
ip_flow.h
ip_fw2.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
ip_fw.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
ip_fw.h Oops, forgot to commit this file. This is part of the fix 2002-10-24 22:32:13 +00:00
ip_gre.c MFS: recognize gre packets used in the WCCP protocol. 2002-12-07 14:22:05 +00:00
ip_gre.h de-__P(). 2002-10-16 22:27:27 +00:00
ip_icmp.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
ip_icmp.h Fix two instances of variant struct definitions in sys/netinet: 2002-10-20 22:52:07 +00:00
ip_id.c Remove __P. 2002-03-19 21:25:46 +00:00
ip_input.c Add a new config option IPSEC_FILTERGIF to control whether or not 2003-02-23 00:47:06 +00:00
ip_mroute.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
ip_mroute.h Massive cleanup of the ip_mroute code. 2002-11-15 22:53:53 +00:00
ip_output.c Remove unused variables in the IPSEC case. 2003-02-20 18:22:21 +00:00
ip_var.h Add the ability to limit the number of IP fragments allowed per packet, 2003-02-22 06:41:47 +00:00
ip.h Fix two instances of variant struct definitions in sys/netinet: 2002-10-20 22:52:07 +00:00
ipprotosw.h
raw_ip.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
tcp_debug.c It's now sufficient to rely on a nested include of _label.h to make sure 2002-08-15 14:34:45 +00:00
tcp_debug.h make the strings for tcptimers, tanames and prurequests const to silence 2002-08-16 09:07:59 +00:00
tcp_fsm.h WARNS=n and lint(1) silencer. Declare an array of (const) strings 2002-02-03 11:57:32 +00:00
tcp_input.c Yesterday just wasn't my day. Remove testing delta that crept into the diff. 2003-02-23 15:40:36 +00:00
tcp_output.c Convert tcp_fillheaders(tp, ...) -> tcpip_fillheaders(inp, ...) so the 2003-02-19 22:18:06 +00:00
tcp_reass.c Yesterday just wasn't my day. Remove testing delta that crept into the diff. 2003-02-23 15:40:36 +00:00
tcp_seq.h Fix NewReno. 2003-01-13 11:01:20 +00:00
tcp_subr.c - m = m_gethdr(M_NOWAIT, MT_HEADER); 2003-02-21 23:17:12 +00:00
tcp_syncache.c Improve the security and performance of syncookies: 2003-02-23 19:04:23 +00:00
tcp_timer.c Add a TCP TIMEWAIT state which uses less space than a fullblown TCP 2003-02-19 22:32:43 +00:00
tcp_timer.h Add a TCP TIMEWAIT state which uses less space than a fullblown TCP 2003-02-19 22:32:43 +00:00
tcp_timewait.c - m = m_gethdr(M_NOWAIT, MT_HEADER); 2003-02-21 23:17:12 +00:00
tcp_usrreq.c Unbreak the automatic remapping of an INADDR_ANY destination address 2002-10-24 02:02:34 +00:00
tcp_var.h Add a TCP TIMEWAIT state which uses less space than a fullblown TCP 2003-02-19 22:32:43 +00:00
tcp.h Include <sys/cdefs.h> so the visibility conditionals are available. 2002-10-02 04:22:34 +00:00
tcpip.h
udp_usrreq.c Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
udp_var.h Notify functions can destroy the pcb, so they have to return an 2002-06-14 08:35:21 +00:00
udp.h