I have implemented a BPF kernel program that acts as a kind of SYN proxy to deal with SYN floods. But it does is storing a cookie when a SYN from a client comes in, hashing it's IP and port into a BPF MAP. When the client replies correctly, it's hash is added to the whitelist, and next packets go straight to the server.
My problem is that maps in BPF can't be resized at runtime, so I need to find a way to reutilize slots in the map. So far, what I did was to change the map to an array and then use t hash of the user and use the % modulo operator with the size of the array, to find a slot in such array that the client will use. The problem with that is under an attack there are many overlaps of the index, and some of the attacking IPs happen to be in the whitelist according to the hash, so they get through the server.
I was hoping to start a discussion here about how this could be done in a more efficient way.
Thanks.
question from:
https://stackoverflow.com/questions/65853008/bpf-dealing-with-full-hash-table-for-storing-syn-cookie-answers-and-whitelistin 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
