Implementing syncookied as a request BPF #699
Description
Once issue #602 is implemented, the effort to enable the implementation of syncookied as a request BPF will have been lowered. Namely, it would require adding the following facilities to the running environment of BPF in Gatekeeper:
- Repling packets;
- Computing SYN cookie.
The request BPF implementing syncookied should only forward SYN packets with proper cookies to Grantor servers. This BPF must also limit the reply rate to SYN packets to avoid Gatekeeper servers being used on reflection attacks.
The syncookied BPF would be a variation of the port knocking originally suggested in issue #602.