Lets start with some context.
The Problem: TCP SYN DDOS attack.
TCP SYN attacks flood a targetted server with SYN requests. Each SYN request received by the server is responded to with a SYN ACK which results in a connection state being created and put in a half-open (SYN RCVD) TCP state awaiting an ACK to come back. *The ACK response never comes* and the SYN requests keep coming in resulting in more half-open state creation in the backlog... At some point, during this attack, there will be a lot of TCP half-open state such that the targeted server's ability to respond to new SYN requests is lost because all the available port resources have been exhausted...
How does one defend against SYN flood attack?
A popular defense against SYN attacks uses what is known as SYN cookies.
So, how do SYN cookies work? When the server sees the TCP SYN, it constructs the SYN ACK using a sequence # created from a cryptographic hash of some of the flow attributes. The computed ACK sequence # has enough flow attributes encoding in it such that can be later (on response to this sequence #) used to reconstruct the original SYN request should the original sender response.
Two possibilities on responses:
1) If this was an attack, then the server will never receive a response. It is no big deal since we are not storing any half-open info in the backlog; and therefore no server resources are wasted in anticipation of that response.
2) This is legit client request - in which case there will be a response coming back. When the ACK is received, we look at the ACK sequence # and reconstruct the SYN queue entry using the information that was originally encoded in the SYN ACK.
SYN cookies are effective, but: the operation requires the packets traverse the TCP/IP layers all the way up. For a busy server, the extra code path and the hash computation constrains how fast you can issue SYN cookies back.
In this talk, Petar Penkov, Eric Dumazet and Stanislav Fomichev discuss SynGate, an XDP-based approach to handling SYN cookies. By moving the response lower in the stack it enables the system to increase the rate at which a host can issue SYN cookies and therefore improving its resilience to SYN flood attacks.
Petar et al will detail the design of this solution, the advantages eBPF provided them and, challenges faced during development of of SynGate and finally they will discuss areas they are considering for improvement.
More info: https://netdevconf.info/0x14/session.html?talk-issuing-SYN-cookies-in-XDP
Reminder, registration is now open and early bird is still in effect. https://netdevconf.info/0x14/registration.html
cheers, jamal