MCPcopy Index your code
hub / github.com/LTD-Beget/syncookied

github.com/LTD-Beget/syncookied @v0.3.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.3.2 ↗ · + Follow
273 symbols 471 edges 18 files 14 documented · 5%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

syncookied

syncookied logo

Build Status

syncookied emulates linux kernel syncookie functionality by intercepting SYN packets and sending replies to them using the same cookie generation alghorithm. It can achieve better performance under SYN flood attacks thanks to kernel bypass (netmap).

Installation

  1. Install rust (instructions here: https://www.rust-lang.org/en-US/downloads.html)
  2. Install build-essential and libpcap-dev or equivalent package for your distribution
  3. Install netmap. Make sure netmap.h / netmap_user.h can be found in /usr/include. Alternative you can point CFLAGS variable to their location: example.
  4. run cargo build --release, resulting binary will be found in target/release/syncookied.

Note: we use AVX-accelerated SHA1 function by default. SSE3 implementation is also available under sse3 feature flag, i.e.: cargo build --features=sse3 --no-default-features --release.

How to run

On server you want to protect

  1. Install tcpsecrets linux kernel mode to expose tcp syncookie key and timestamp
  2. Start syncookied in server mode: syncookied server <proto://ip:port>. Running this commands automatically starts a TCP or UDP server on specified ip/port and sets net.ipv4.tcp_syncookies to 2 on first request.

On server you want to use for packet processing

  1. Install netmap and make sure it works (pkt-gen)

  2. Disable NIC offloading features on the interface you want to use (eth2 here):

ethtool -K eth2 gro off gso off tso off lro off rx off tx off ethtool -A eth2 rx off tx off ethtool -G eth2 rx 2048 tx 2048

  1. Set up queues and affinities. Here we bind 12 queues to first 12 cpu cores:

QUEUES=12 ethtool -L eth2 combined $QUEUES ./set_irq_affinity -x 0-11 eth2

set_irq_affinity is available at https://github.com/majek/ixgbe/blob/master/scripts/set_irq_affinity
  1. Create hosts.yml file in the working directory, which looks like this ```
  2. ip: 185.50.25.4 secrets_addr: udp://192.168.3.231:1488 mac: 0c:c4:7a:6a:fa:bf ``` Here ip is external ip you want to protect, secrets_addr is the address of syncookied server running on protected host, and mac is its MAC address.

  3. Run syncookied -i eth2. It will print something like this: Configuration: 185.50.25.4 -> c:c4:7a:6a:fa:bf interfaces: [Rx: eth2/3c:fd:fe:9f:a8:82, Tx: eth2/3c:fd:fe:9f:a8:82] Cores: 24 12 Rx rings @ eth2, 12 Tx rings @ eth2 Queue: 1048576 Starting RX thread for ring 0 at eth2 Starting TX thread for ring 0 at eth2 Uptime reader for 185.50.25.4 starting ...

  4. Configure your network equipment to direct traffic for protected ip to syncookied.

  5. You can reload configuration at any time by changing hosts.yml and sending HUP signal to syncookied. It will print something like this:

Uptime reader for 185.50.25.4 exiting All uptime readers dead Old readers are dead, all hail to new readers Uptime reader for 185.50.25.4 starting ...

  1. Enjoy your ddos protection

Notes

syncookied has some options you may want to tune, see syncookied --help. If you have more than 1 interface on your server, you may want to look into -O to use second one for TX. This greatly improves performance and latency as forwarding and syn-reply traffic is separated.

Traffic filtering

It's possible to filter traffic by adding "filters" section to host configuration like this:

- ip: 185.50.25.4
  secrets_addr: 127.0.0.1:1488
  mac: 0c:c4:7a:6b:0a:78
  filters:
   tcp and dst port 53: drop
   tcp and dst port 22: pass
   default: pass

Filters are written in pcap syntax. Consult pcap-filter(7) for more information. Default policy is "pass". It can be changed by using default key. Note that filtering happens on layer 4.

Troubleshooting

Please check the FAQ before filing an issue.

Need help?

Join us on Telegram: https://telegram.me/syncookied

Performance

syncookied under 12.65 Mpps syn flood attack utilizing 12 cores of Xeon E5-2680v3: syncookied perf

License

syncookied is distributed under the term of GPLv2.

Extension points exported contracts — how you extend this code

UptimeReader (Interface)
(no doc) [3 implementers]
src/uptime.rs
NetmapSlot (Interface)
(no doc) [2 implementers]
src/netmap.rs
NetmapRing (Interface)
(no doc) [2 implementers]
src/netmap.rs

Core symbols most depended-on inside this repo

rol32
called by 144
src/sha1.c
ror32
called by 80
src/sha1.c
get_unaligned_be32
called by 16
src/sha1.c
set_value
called by 15
src/metrics.rs
clone
called by 10
src/main.rs
set_flags
called by 8
src/netmap.rs
next
called by 8
src/netmap.rs
iter
called by 6
src/netmap.rs

Shape

Function 145
Method 88
Class 29
Enum 8
Interface 3

Languages

Rust64%
C36%

Modules by API surface

src/csum-partial_64.c82 symbols
src/netmap.rs44 symbols
src/main.rs32 symbols
src/packet.rs21 symbols
src/sha1.c16 symbols
src/uptime.rs15 symbols
src/config.rs13 symbols
src/ring.rs11 symbols
src/util.rs8 symbols
src/metrics.rs8 symbols
src/cookie.rs6 symbols
src/filter.rs5 symbols

For agents

$ claude mcp add syncookied \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact