[3470] in bugtraq
Re: Excellent host SYN-attack fix for BSD hosts
daemon@ATHENA.MIT.EDU (D. J. Bernstein)
Tue Oct 15 23:31:12 1996
Date: Tue, 15 Oct 1996 23:36:07 -0000
Reply-To: "D. J. Bernstein" <djb@koobera.math.uic.edu>
From: "D. J. Bernstein" <djb@koobera.math.uic.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
The center of discussion of SYN cookies is the syncookies mailing list.
To join, send an empty message to
syncookies-request@koobera.math.uic.edu
The most advanced proposal has two features that Jeff hasn't implemented
yet. First, it doesn't throw away information _unless_ the listen queue
fills up. Second, it uses a slightly more complicated choice of ISN.
These two features handle all of the complaints mentioned here:
1. ``Allows fake ACKs through SYN-checking firewalls'': Not unless the
attacker has a collaborator behind the firewall.
2. ``Doesn't deal with window scaling'': Window scaling isn't affected
except when you're under attack.
3. ``Breaks TCP's algorithm for recognizing stale data'': The new choice
of ISN solves this.
4. ``Breaks T/TCP'': T/TCP should work just fine except when you're
under attack.
SYN cookies change the listen queue from a crucial bottleneck into a
mildly helpful cache. They're a win for dealing with legitimate SYN
bursts as well as illegitimate SYN floods. Why drop a packet if you can
send back a cookie instead?
---Dan
