[5063] in North American Network Operators' Group
Re: TCP SYN attacks - a simple solution
daemon@ATHENA.MIT.EDU (Jeff Weisberg)
Mon Oct 7 09:45:28 1996
From: Jeff Weisberg <jaw@Op.Net>
Date: Mon, 7 Oct 1996 08:46:14 -0400
To: bugtraq@netspace.org, nanog@merit.edu, iepg@iepg.org, rex@cs.su.oz.au
| There have been several (many?) products attempting to solve the TCP
| SYN attack through timeouts. They watch the SYN packets, and flush
| ones, by doing a RESET on the connection if the third packet isn't
| received in time. Or letting conenctions fail by flushing the infant
| connection table when full. I believe this is wrong!
[...]
| I propose a solution where the initial sequence number is calculated
| (not random), and is based on a cryptographic calculation of the
| senders Initial Sequence Number, the ports, and a "per boot"
| secret number. In this way the initial packet can be discarded,
| and on receipt of the third SYN packet can be recalculated.
cool idea!
look at:
ftp.op.net:/pub/src/syn-prophylactica/
for an implementation.
--jeff
