diff options
| author | silby <silby@FreeBSD.org> | 2003-02-23 19:04:23 +0000 |
|---|---|---|
| committer | silby <silby@FreeBSD.org> | 2003-02-23 19:04:23 +0000 |
| commit | 2f99c6cb310d3987a93a6b2c1a79ef8dcd4cf940 (patch) | |
| tree | 89ee8b8f945fc628b80086163f4cfef9c3ca006e /lib/libpthread/thread | |
| parent | 479f59745501b273454b80ecb51657ed230bb295 (diff) | |
| download | FreeBSD-src-2f99c6cb310d3987a93a6b2c1a79ef8dcd4cf940.zip FreeBSD-src-2f99c6cb310d3987a93a6b2c1a79ef8dcd4cf940.tar.gz | |
Improve the security and performance of syncookies:
Security improvements:
- Increase the size of each syncookie secret from 32 to 128 bits
in order to make brute force attacks on the secrets much more
difficult.
- Always return the lowest order dword from the MD5 hash; this
allows us to expose 2 more bits of the cookie and makes ACK
floods which seek to guess the cookie value more difficult.
Performance improvements:
- Increase the lifetime of each syncookie from 4 seconds to 16
seconds. This increases the usefulness of syncookies during
an attack.
- From Yahoo!: Reduce the number of calls to MD5Update; this
results in a ~17% increase in cookie generation time here.
Reviewed by: hsu, jayanth, jlemon, nectar
MFC After: 15 seconds
Diffstat (limited to 'lib/libpthread/thread')
0 files changed, 0 insertions, 0 deletions
