Subject: Re: SYN cookie ?
To: Ignatios Souvatzis <firstname.lastname@example.org>
From: Darren Reed <email@example.com>
Date: 04/24/2001 02:07:22
In some email I received from Ignatios Souvatzis, sie wrote:
> On Mon, Apr 23, 2001 at 05:52:19PM +0200, Dr. Rene Hexel wrote:
> > Darren Reed wrote:
> > > What gets me, about all of this, is that it just moves the resource
> > > problem from one box to another and doesn't actually solve it. To
> > Also, in an attack situation, such a firewall might come under
> > considerably more stress (than a single host implementing
> > syn-cache/cookie) trying to protect a (possibly very large) number of
> > hosts at the same time.
> Let me be the devils advocate for a moment:
> Assuming you don't keep state to resent the syn-ack, believing
> that its not necessary, why is this so? You send the synack and forget
> about it. You only ever set up state at the moment the acktothesynack
> arrives. The attacker, contrary to the normal user, won't answer the synack,
That's what timeouts are for.