[e2e] ISN regeneration when Stateless SYN cookies are used

gangadharan annapurna nallu17 at hotmail.com
Thu Oct 18 00:04:10 PDT 2001


Hi folks,

I had a question about the Stateless SYN
cookie approach to solve the Denial of Service attack.
The linux kernel has implemented this for quite some
time now.

So basically when we get an incoming SYN we send back a
SYN+ACK with the ISN generated as

ISN = f(t) + MD5(Sport,Saddress,Dport,Daddress,secret1)

where
  f(t) is a monotonically increasing function of time
  Secret1 is a boot time generated secret number



However lets assume the SYN+ACk that we sent back got
delayed and the client sends a new SYN request.  And
the server sends back a new SYN+ACK and regenerates the
a new ISN.  Note that we are not preserving any state
so the ISN we sent back the first time cannot be regenerated
again.

In the meantime the client gets the OLD SYN and it accepts
it and the connection goes to established state. A  TCB is
created.

Now when the new SYN+ACK arrives and if the new ISN falls
within the Receive window of the client, then the packet
is wrongly accepted.  How  do we handle this issue ?

thanks
Naren


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




More information about the end2end-interest mailing list