lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 09 Apr 2013 10:06:17 +0100
From:	Ed W <lists@...dgooses.com>
To:	Linux Networking Developer Mailing List <netdev@...r.kernel.org>
Subject: Modifying the exponential backoff on new connection SYN packets

Hi, I have an unusual situation in that I would like to cap the 
retransmit frequency on the initial SYN packets at some fairly short 
time interval, eg a max of 2-4 seconds, rather than the usual 
exponentially increasing interval.  I could use some help figuring out 
the exact point in the kernel to make such a change please?

The situation is that I am building a firewall which will be used with 
expensive satellite links (think $10-100/MB range). Some of the links 
are dialup links which take 20-40 seconds to bring up, and then we have 
PPP drop the link after 10 seconds of inactivity. However, with the 
default exponential backoff on new connections we are generally 
retransmitting with a 16sec or 32 sec interval by the time the dialup 
link is connected, the timout for inactivity kicks in and drops the link 
before the retransmit...

I believe the exponential backoff is intended to prevent amplification 
attacks? In this particular case we are accounting for traffic per user 
and the internet costs are extremely substantial, so I think it's not a 
problem

Could someone please help figure out the appropriate place to tweak the 
exponential backoff? Note this is not retransmit of in flight data, just 
the backoff for the initial syn (which doesn't seem to be configurable 
in user space?)

Note, we have an application proxy here, but I can't see a sensible way 
to fake it in user space without a lot of extra coding - any suggestions?

Thanks

Ed W
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ