nanog mailing list archives
Re: TCP SYN attacks - a simple solution
From: Jeff Weisberg <jaw () Op Net>
Date: Mon, 7 Oct 1996 08:46:14 -0400
| There have been several (many?) products attempting to solve the TCP | SYN attack through timeouts. They watch the SYN packets, and flush | ones, by doing a RESET on the connection if the third packet isn't | received in time. Or letting conenctions fail by flushing the infant | connection table when full. I believe this is wrong! [...] | I propose a solution where the initial sequence number is calculated | (not random), and is based on a cryptographic calculation of the | senders Initial Sequence Number, the ports, and a "per boot" | secret number. In this way the initial packet can be discarded, | and on receipt of the third SYN packet can be recalculated. cool idea! look at: ftp.op.net:/pub/src/syn-prophylactica/ for an implementation. --jeff - - - - - - - - - - - - - - - - -
Current thread:
- TCP SYN attacks - a simple solution Rex di Bona (Oct 06)
- Re: TCP SYN attacks - a simple solution Avi Freedman (Oct 06)
- <Possible follow-ups>
- Re: TCP SYN attacks - a simple solution Matthew Kaufman (Oct 06)
- Re: TCP SYN attacks - a simple solution Avi Freedman (Oct 06)
- Re: TCP SYN attacks - a simple solution Mike O'Dell (Oct 06)
- Re: TCP SYN attacks - a simple solution Tim Bass (Oct 06)
- Re: TCP SYN attacks - a simple solution Perry E. Metzger (Oct 06)
- Re: TCP SYN attacks - a simple solution Tim Bass (Oct 06)
- Re: TCP SYN attacks - a simple solution Jeff Weisberg (Oct 07)
- Re: TCP SYN attacks - a simple solution Avi Freedman (Oct 07)
- Re: TCP SYN attacks - a simple solution Jeff Weisberg (Oct 07)