Re: Excellent host SYN-attack fix for BSD hosts

[djb () koobera math uic edu (D. J. Bernstein)]

The center of discussion of SYN cookies is the syncookies mailing list.
To join, send an empty message to

   syncookies-request () koobera math uic edu

The most advanced proposal has two features that Jeff hasn't implemented
yet. First, it doesn't throw away information _unless_ the listen queue
fills up. Second, it uses a slightly more complicated choice of ISN.

These two features handle all of the complaints mentioned here:

1. ``Allows fake ACKs through SYN-checking firewalls'': Not unless the
attacker has a collaborator behind the firewall.

2. ``Doesn't deal with window scaling'': Window scaling isn't affected
except when you're under attack.

3. ``Breaks TCP's algorithm for recognizing stale data'': The new choice
of ISN solves this.

4. ``Breaks T/TCP'': T/TCP should work just fine except when you're
under attack.

SYN cookies change the listen queue from a crucial bottleneck into a
mildly helpful cache. They're a win for dealing with legitimate SYN
bursts as well as illegitimate SYN floods. Why drop a packet if you can
send back a cookie instead?

---Dan