diff options
| author | Florian Westphal <fw@strlen.de> | 2013-09-20 16:32:55 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-09-24 10:39:58 -0400 |
| commit | 8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906 (patch) | |
| tree | 28156d5d01cd4393da57eb328db87d784bdd4260 /include/net/tcp.h | |
| parent | 61f860c356c3d15b6cf48ef35beea664921dec1e (diff) | |
tcp: syncookies: reduce cookie lifetime to 128 seconds
We currently accept cookies that were created less than 4 minutes ago
(ie, cookies with counter delta 0-3). Combined with the 8 mss table
values, this yields 32 possible values (out of 2**32) that will be valid.
Reducing the lifetime to < 2 minutes halves the guessing chance while
still providing a large enough period.
While at it, get rid of jiffies value -- they overflow too quickly on
32 bit platforms.
getnstimeofday is used to create a counter that increments every 64s.
perf shows getnstimeofday cost is negible compared to sha_transform;
normal tcp initial sequence number generation uses getnstimeofday, too.
Reported-by: Jakob Lell <jakob@jakoblell.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net/tcp.h')
| -rw-r--r-- | include/net/tcp.h | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/include/net/tcp.h b/include/net/tcp.h index 0e47551e9bdb..de870ee5582d 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h | |||
| @@ -481,6 +481,24 @@ int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th, | |||
| 481 | struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, | 481 | struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb, |
| 482 | struct ip_options *opt); | 482 | struct ip_options *opt); |
| 483 | #ifdef CONFIG_SYN_COOKIES | 483 | #ifdef CONFIG_SYN_COOKIES |
| 484 | #include <linux/ktime.h> | ||
| 485 | |||
| 486 | /* Syncookies use a monotonic timer which increments every 64 seconds. | ||
| 487 | * This counter is used both as a hash input and partially encoded into | ||
| 488 | * the cookie value. A cookie is only validated further if the delta | ||
| 489 | * between the current counter value and the encoded one is less than this, | ||
| 490 | * i.e. a sent cookie is valid only at most for 128 seconds (or less if | ||
| 491 | * the counter advances immediately after a cookie is generated). | ||
| 492 | */ | ||
| 493 | #define MAX_SYNCOOKIE_AGE 2 | ||
| 494 | |||
| 495 | static inline u32 tcp_cookie_time(void) | ||
| 496 | { | ||
| 497 | struct timespec now; | ||
| 498 | getnstimeofday(&now); | ||
| 499 | return now.tv_sec >> 6; /* 64 seconds granularity */ | ||
| 500 | } | ||
| 501 | |||
| 484 | u32 __cookie_v4_init_sequence(const struct iphdr *iph, const struct tcphdr *th, | 502 | u32 __cookie_v4_init_sequence(const struct iphdr *iph, const struct tcphdr *th, |
| 485 | u16 *mssp); | 503 | u16 *mssp); |
| 486 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mss); | 504 | __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mss); |