Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks


No description

Ramzi Alqrainy

on 9 January 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of TCP FAST OPEN

Web Page Load
Web Transfer Latency
1. SYN Flood / Server Resource Exhaustion
Page Load Time
Image by Tom Mooring
SYN Flood / Server Resource Exhaustion
Bogus requests consume CPU and memory at the server
If the cookies presented by attacker is not valid, the data in the SYN packets is not accepted.
Fallback to regular TCP
Amplified Reflection Attack
Bogus requests consume CPU and memory at the server
Threshold pending TCP Fast Open connections at server
Fallback to regular TCP if threshold is exceeded
Security Consideration
A new TCP mechanism that enables data to be exchanged safely during TCP’s initial handshake.
* Number of round trips required to transfer application data.
* RTT between the client and the server
HTTP Persistent Connections
Reuses TCP connections for multiple transactions
Widely deployed (92% connections support it)
> 33% of requests still use new connections (cold requests)
[Chrome, Yahoo CDN] statistics
SYN + TFO cookie request
SYN-ACK + TFO cookie
Generates cookie by encrypting client IP
Client caches cookie
for this server IP
SYN + TFO cookie + data
Validates client TFO cookie +
accepts connection + data is
made available to application
Data in the SYN packet
also ACKed by server
More data packets sent
to client while handshake is in progress
2. Amplified Reflection Attack
Kernel – Linux 2.6.34
2000 lines of modifications to TCP stack
Congestion control not directly affected, only connection setup is changed

Client – Chrome browser
sentTo() and sendMsg system calls with new MSG_TFO flag
Chrome supports TCP Fast Open since mid 2010
Server – Apache
Socket option to enable TCP Fast Open on listen socket
Server Performance
TCP Fast Open Cookie
* 8 – 16 byte token

* Granted and validated by servers

* Permission to send request in SYN packet to the server

* Validates IP ownership of client

* Encrypts IP address of client using a server secret key

* Expires after a timeout set by server
Full transcript