[3453] in bugtraq
Re: Excellent host SYN-attack fix for BSD hosts
daemon@ATHENA.MIT.EDU (Casper Dik)
Mon Oct 14 12:35:03 1996
Date: Mon, 14 Oct 1996 09:08:08 +0200
Reply-To: Casper Dik <casper@holland.Sun.COM>
From: Casper Dik <casper@holland.Sun.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
"Charles M. Hannum" <mycroft@mit.edu> writes:
>Avi Freedman <freedman@netaxs.com> writes:
>
>>
>> No state is kept locally; when a SYN is received, an ISS is generated that
>> contains a few bits for reference into a table of MSS values; window size
>> and any initial data is discarded; and the rest of the ISS is the MD5 output
>> of a 32-byte secret and all of the interesting header info.
>
>This doesn't seem to deal with window scaling, which is a big lose on
>high-bandwidth networks. It also breaks TCP's algorithm for
>recognizing stale data.
It also breaks "naked SYN" filtering which is commonly employed as a way
to let established connections through without much effort and filter only
those TCP packets that have a SYN.
(Stuff like Cisco's establised keyword)
If you want to use "SYN cookies", as this approach is commonly called,
you should only start to employ them when the connection queue is full.
Casper
