To prevent attacks on the hash buckets of the syn cache, our TCP - wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

diff options

author	bluhm <bluhm@openbsd.org>	2016-03-27 19:19:01 +0000
committer	bluhm <bluhm@openbsd.org>	2016-03-27 19:19:01 +0000
commit	8b71aa9180bb83952b5b17e72f20582d4c6f2fc0 (patch)
tree	96889ad5e3ded3f87fd0651f5c7cd0ef1fe8300b /gnu/gcc/libcpp/files.c
parent	Make it possible to override the standard card detect mechanism. The SD (diff)
download	wireguard-openbsd-8b71aa9180bb83952b5b17e72f20582d4c6f2fc0.tar.xz wireguard-openbsd-8b71aa9180bb83952b5b17e72f20582d4c6f2fc0.zip

To prevent attacks on the hash buckets of the syn cache, our TCP

stack reseeds the hash function every time the cache is empty. Unfortunatly the attacker can prevent the reseeding by sending unanswered SYN packes periodically. Fix this by having an active syn cache that gets new entries and a passive one that is idling out. When the passive one is empty and the active one has been used 100000 times, they switch roles and the hash function is reseeded with new random. tedu@ agrees; OK mpi@

Diffstat (limited to 'gnu/gcc/libcpp/files.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: