Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Excellent host SYN-attack fix for BSD hosts

From: casper () holland Sun COM (Casper Dik)
Date: Mon, 14 Oct 1996 09:08:08 +0200

"Charles M. Hannum" <mycroft () mit edu> writes:



Avi Freedman <freedman () netaxs com> writes:



No state is kept locally; when a SYN is received, an ISS is generated that
contains a few bits for reference into a table of MSS values; window size
and any initial data is discarded; and the rest of the ISS is the MD5 output
of a 32-byte secret and all of the interesting header info.


This doesn't seem to deal with window scaling, which is a big lose on
high-bandwidth networks.  It also breaks TCP's algorithm for
recognizing stale data.



It also breaks "naked SYN" filtering which is commonly employed as a way
to let established connections through without much effort and filter only
those TCP packets that have a SYN.

(Stuff like Cisco's establised keyword)

If you want to use "SYN cookies", as this approach is commonly called,
you should only start to employ them when the connection queue is full.

Casper
Previous By Date Next
Previous By Thread Next

Current thread: