Subject: Re: SYN cookie ?
To: None <tech-kern@netbsd.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 04/18/2001 09:26:29
>> Is there someone who is interested in the implementment of SYN
>> cookie in NetBSD kernel ?

> wth IS a SYN cookie?

An alternative defense against SYNflooding.  The idea is that instead
of keeping any state locally, you encode enough state into the SYN-ACK
packet that if/when you get the third (ACK) packet, you can (re)create
all the necessary state to create the connection then.

It's a clever idea.  The problem is finding enough bits in the SYN-ACK
that you can count on getting back in the ACK...without losing various
other valuable properties, like ISN randomness and ISN linearity.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B