Hi guys, I have written a new method to implement syncookie to defend DDOS,
I have test the performance of generating and checking cookie which is 50 times more quicker than the standard method.

on my vmware running on P4 1.7G thinkpad, it generates 100,000,000 cookies in 11 seconds while the standard method takes 26 seconds to do 5000,000 times SHA1 encryptions. The standard method would takes more time to generate/check cookie as SHA1 encryption is just one of its steps to generate cookie. So in terms of efficiency, my method would be more than 50 times better than the standard way.

I have tested it on 2.6.20-18, but I have no environment to simulate DDOS(I have only one notebook ). I post my code here and hope if someone is interested and will do some pressure test on it. Any suggestion will be highly appreciated!

Can someone tell me how to upload my code?

wow, I am a newbie here thus not permitted to upload attachment.
pls download syncookie.c from an other forum where i post eralier:

http://linux.chinaunix.net/bbs/attac...php?aid=178266

or if someone interested pls contact me by high.lin@gmail.com, I will send you
the code

how to use it:

I have only tested it on 2.6.20-18

1: replace linux-2.6.20.18/net/ipv4/syncookie.c with my one
2: compile new kernel with syncookie support
3: echo n >/proc/sys/net/ipv4/tcp_syncookie
if n=1 then you choose to use the standard method of syncookie,
n>1 you choose to use my new method. n means to re-generate the 1024 byte secret in n seconds

pls set n to a high value, saying 300 to reduce overhead of re-creating the secret

http://linux.chinaunix.net/bbs/attac...php?aid=178266 seems does work for you guys(you have to register to download it)

can someone help me to upload my code?

pls check the post here:
http://www.linuxforums.org/forum/lin...syncookie.html

and the url of code is:
http://www.linuxforums.org/forum/att...syncookies.zip

thank you for any suggestion