On Wed, 18 Apr 2001, der Mouse wrote:

> >> Is there someone who is interested in the implementment of SYN
> >> cookie in NetBSD kernel ?
> 
> > wth IS a SYN cookie?
> 
> An alternative defense against SYNflooding.  The idea is that instead
> of keeping any state locally, you encode enough state into the SYN-ACK
> packet that if/when you get the third (ACK) packet, you can (re)create
> all the necessary state to create the connection then.
> 
> It's a clever idea.  The problem is finding enough bits in the SYN-ACK
> that you can count on getting back in the ACK...without losing various
> other valuable properties, like ISN randomness and ISN linearity.

Is it realistically feasible?  Not meaning "can it be done" but "can it be
done right"?

(man, my spelling is terrible ;-)

-
Jon
 --------------------------------------------------------------------
 - The opinions expressed are not necesarily those of my employer.
   "I wonder how many people actually read my .sig?"