gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard
verified publisher icon AltraMayor

Implementing syncookied as a request BPF

Open AltraMayor opened this issue 1 year ago • 0 comments

Once issue #602 is implemented, the effort to enable the implementation of syncookied as a request BPF will have been lowered. Namely, it would require adding the following facilities to the running environment of BPF in Gatekeeper:

  1. Repling packets;
  2. Computing SYN cookie.

The request BPF implementing syncookied should only forward SYN packets with proper cookies to Grantor servers. This BPF must also limit the reply rate to SYN packets to avoid Gatekeeper servers being used on reflection attacks.

The syncookied BPF would be a variation of the port knocking originally suggested in issue #602.

AltraMayor avatar Jul 26 '24 14:07 AltraMayor