Bugtraq mailing list archives
Re: Excellent host SYN-attack fix for BSD hosts
From: djb () koobera math uic edu (D. J. Bernstein)
Date: Tue, 15 Oct 1996 23:36:07 -0000
The center of discussion of SYN cookies is the syncookies mailing list. To join, send an empty message to syncookies-request () koobera math uic edu The most advanced proposal has two features that Jeff hasn't implemented yet. First, it doesn't throw away information _unless_ the listen queue fills up. Second, it uses a slightly more complicated choice of ISN. These two features handle all of the complaints mentioned here: 1. ``Allows fake ACKs through SYN-checking firewalls'': Not unless the attacker has a collaborator behind the firewall. 2. ``Doesn't deal with window scaling'': Window scaling isn't affected except when you're under attack. 3. ``Breaks TCP's algorithm for recognizing stale data'': The new choice of ISN solves this. 4. ``Breaks T/TCP'': T/TCP should work just fine except when you're under attack. SYN cookies change the listen queue from a crucial bottleneck into a mildly helpful cache. They're a win for dealing with legitimate SYN bursts as well as illegitimate SYN floods. Why drop a packet if you can send back a cookie instead? ---Dan
Current thread:
- Re: Excellent host SYN-attack fix for BSD hosts, (continued)
- Re: Excellent host SYN-attack fix for BSD hosts Casper Dik (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Granville Moore (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Vern Paxson (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Jeff Weisberg (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Alan Cox (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Darren Reed (Oct 15)
- ftpd bug? Was: bin/1805: Bug in ftpd James Poland 6-5251 (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Jeff Weisberg (Oct 14)
- Re: Excellent host SYN-attack fix for BSD hosts Steve Kann (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Jeff Weisberg (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts D. J. Bernstein (Oct 15)
- Re: Excellent host SYN-attack fix for BSD hosts Vern Paxson (Oct 16)