Skip to content

psylity/syncsync

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
module
module
 
 
userspace
userspace
 
 
README.md
README.md
 
 
README.ru.md
README.ru.md
 
 

Repository files navigation

syncookie synchronization loadable kernel module

What is this?

SYNcookies are generated as a hash of a secret combined with connection parameters (e.g., both endpoints’ IP addresses and ports). The secret prevents attackers from predicting cookie values and mounting effective DDoS attacks. In the original syncookied design, the secret is read from the protected service host and passed to syncookied via a loadable tcpsecrets kernel module and a userspace service. This allows syncookied to be inserted or removed on the packet path transparently, without breaking existing connections.

In the current deployment model, many machines may terminate the same public IP address. Each machine has its own secret, which makes it impossible for syncookied to know which secret to use.

To solve this, a ticker mechanism was introduced: both syncookied and all service hosts derive an identical secret from a configured base secret plus the current time. This requires no network connectivity for synchronization; however, the code applying secret was previously implemented as a kernel patch.

This approach hit two issues:

  • The ticker was implemented as a kernel patch. Any kernel version change can require a rebuild, and minor kernel code changes can break the patch.
  • Starting with Linux 4.11, the kernel switched the syncookie hashing algorithm from SHA-1 to SipHash, while the public syncookied only supports SHA-1.

syncsync is a loadable kernel module that alters the kernel so that SHA-1 continues to be used for TCP SYN cookie hashing (even on Linux 6.x) and adds ticker support. It is packaged with DKMS, so you do not need to rebuild the kernel. Install two RPM packages: one builds the module for the running kernel, the other sets the required sysctls, enables auto-loading, and configures the module at boot.

syncsync expects (and the package sets) the following sysctls:

net.ipv4.tcp_timestamp = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_syncookies = 2

Warning: If you load the module over SSH while the client machine has net.ipv4.tcp_timestamp = 1, the TCP timestamps will desynchronize and your SSH session will drop; reconnect after loading.

Tested on

  • CentOS 7 — 5.4.226-1.el7.elrepo.x86_64
  • CentOS 7 — 5.4.230-1.el7.elrepo.x86_64
  • CentOS 7 — 6.1.0-1.el7.elrepo.x86_64
  • CentOS 7 — 6.1.8-1.el7.elrepo.x86_64
  • AlmaLinux 8 — 4.18.0-425.3.1.el8.x86_64
  • AlmaLinux 8 — 4.18.0-425.10.1.el8_7.x86_64
  • AlmaLinux 8 — 5.4.230-1.el8.elrepo.x86_64
  • AlmaLinux 8 — 6.1.8-1.el8.elrepo.x86_64
  • AlmaLinux 9 — 5.14.0-162.12.1.el9_1.x86_64
  • AlmaLinux 9 — 6.1.8-1.el9.elrepo.x86_64

Configuration

Set the secret in /etc/syncsync.conf. Restarting the service (systemctl restart syncsync) updates the secret inside the kernel.

Time synchronization is mandatory between the host running syncookied and all service hosts.

Example snippet:

- ip: 192.168.100.119
  mac: 08:00:27:00:00:19
  secrets_addr: ticker://0@0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:1000

This configuration with offset 0 is not recommended: by default a SYN cookie is valid for at most 2 minutes, and with standard syncookied at offset 0 it is effectively at most 1 minute. From v5.14/source/include/net/tcp.h#L487:

Syncookies use a monotonic timer which increments every 60 seconds. This counter is used both as a hash input and partially encoded into the cookie value. A cookie is only validated further if the delta between the current counter value and the encoded one is less than this, i.e. a sent cookie is valid only at most for 2*60 seconds (or less if the counter advances immediately after a cookie is generated).

Management interface

syncsync creates /proc/syncsync and exports the following controls:

  • secret — secret used to generate SYN cookies.
  • debug — debug mode; emits additional messages to dmesg.
  • offset — time offset in seconds, for ticker compatibility.
  • extended_age_check — experimental stale-cookie check; not recommended.

A systemd syncsync service loads these from /etc/syncsync.conf.

Packages

DKMS requires the kernel-devel package for your running kernel.

  • syncsync-dkms-*.rpm — DKMS package providing the syncsync kernel module.
  • syncsync*.rpm — userspace package that applies sysctl settings, enables auto-loading, and configures the module.

Migration from a kernel patch to this module

  1. Drain traffic from the host.
  2. Update the kernel.
  3. Remove the ticker packages.
  4. Install the syncsync packages.
  5. In /etc/syncsync.conf, set the correct secret and offset (use exactly what syncookied is configured to use for this host).
  6. Apply the settings to the kernel: systemctl restart syncsync.
  7. Verify TCP connectivity to any open port on the host.
  8. Restore traffic to the host.

TODO

Implement secure TCP timestamps using an SHA-1 hash (?).

About

syncookied secret synchronization loadable kernel module

Topics

kernel-module linux-kernel ddos-protection network-stack syncookie syncookied

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages