Subject: Re: SYN cookie ?
To: None <tech-kern@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 04/18/2001 09:26:29
>> Is there someone who is interested in the implementment of SYN
>> cookie in NetBSD kernel ?
> wth IS a SYN cookie?
An alternative defense against SYNflooding. The idea is that instead
of keeping any state locally, you encode enough state into the SYN-ACK
packet that if/when you get the third (ACK) packet, you can (re)create
all the necessary state to create the connection then.
It's a clever idea. The problem is finding enough bits in the SYN-ACK
that you can count on getting back in the ACK...without losing various
other valuable properties, like ISN randomness and ISN linearity.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B