Subject: Re: SYN cookie ?
To: Ignatios Souvatzis <ignatios@cs.uni-bonn.de>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-kern
Date: 04/24/2001 02:07:22
In some email I received from Ignatios Souvatzis, sie wrote:
> On Mon, Apr 23, 2001 at 05:52:19PM +0200, Dr. Rene Hexel wrote:
> > Darren Reed wrote:
> > 
> > > What gets me, about all of this, is that it just moves the resource
> > > problem from one box to another and doesn't actually solve it.  To
> > 
> >   Also, in an attack situation, such a firewall might come under
> > considerably more stress (than a single host implementing
> > syn-cache/cookie) trying to protect a (possibly very large) number of
> > hosts at the same time.
> 
> Let me be the devils advocate for a moment:
> 
> Assuming you don't keep state to resent the syn-ack, believing 
> that its not necessary, why is this so? You send the synack and forget
> about it. You only ever set up state at the moment the acktothesynack
> arrives. The attacker, contrary to the normal user, won't answer the synack,
> right?

That's what timeouts are for.

Darren