nanog mailing list archives
Re: TCP SYN attacks - a simple solution
From: Jeff Weisberg <jaw () Op Net>
Date: Mon, 7 Oct 1996 08:46:14 -0400
| There have been several (many?) products attempting to solve the TCP
| SYN attack through timeouts. They watch the SYN packets, and flush
| ones, by doing a RESET on the connection if the third packet isn't
| received in time. Or letting conenctions fail by flushing the infant
| connection table when full. I believe this is wrong!
[...]
| I propose a solution where the initial sequence number is calculated
| (not random), and is based on a cryptographic calculation of the
| senders Initial Sequence Number, the ports, and a "per boot"
| secret number. In this way the initial packet can be discarded,
| and on receipt of the third SYN packet can be recalculated.
cool idea!
look at:
ftp.op.net:/pub/src/syn-prophylactica/
for an implementation.
--jeff
- - - - - - - - - - - - - - - - -
Current thread:
- TCP SYN attacks - a simple solution Rex di Bona (Oct 06)
- Re: TCP SYN attacks - a simple solution Avi Freedman (Oct 06)
- <Possible follow-ups>
- Re: TCP SYN attacks - a simple solution Matthew Kaufman (Oct 06)
- Re: TCP SYN attacks - a simple solution Avi Freedman (Oct 06)
- Re: TCP SYN attacks - a simple solution Mike O'Dell (Oct 06)
- Re: TCP SYN attacks - a simple solution Tim Bass (Oct 06)
- Re: TCP SYN attacks - a simple solution Perry E. Metzger (Oct 06)
- Re: TCP SYN attacks - a simple solution Tim Bass (Oct 06)
- Re: TCP SYN attacks - a simple solution Jeff Weisberg (Oct 07)
- Re: TCP SYN attacks - a simple solution Avi Freedman (Oct 07)
- Re: TCP SYN attacks - a simple solution Jeff Weisberg (Oct 07)