Links:
pf syncookies in-progress tree URL: https://github.com/kprovost/freebsd-src/tree/modirum/pf-syncookie-cleanup

Contact: Kristof Provost <kp@FreeBSD.org>

SYN cookies are a mechanism to resist SYN flood denial of service attacks. The FreeBSD network stack has supported this since 2001. However, this does not prevent such an attack from flooding the pf state table.

OpenBSD ported this mechanism from FreeBSD into their pf in 2018. This code is now being ported to FreeBSD’s pf.

The work is still in progress, but the current version demonstrates the basic capability. Next steps include additional testing, extra automated test cases and implementing the adaptive mode.

The adaptive mode requires extra care in FreeBSD’s pf, above what was done in OpenBSD, because of different locking strategies.

Sponsor: Modirum MDPay