[e2e] ISN regeneration when Stateless SYN cookies are used

Michael B Greenwald mbgreen at dsl.cis.upenn.edu
Thu Oct 18 08:49:10 PDT 2001


   Thu, 18 Oct 2001 16:47:19 +0100
   Mahesh Sooriyabandara <mahesh at erg.abdn.ac.uk>

   >    I had a question about the Stateless SYN
   >    cookie approach to solve the Denial of Service attack.
   >    The linux kernel has implemented this for quite some
   >    time now. ...
   >
   >    In the meantime the client gets the OLD SYN and it accepts
   >    it and the connection goes to established state. A  TCB is
   >    created.
   >
   >    Now when the new SYN+ACK arrives and if the new ISN falls
   >    within the Receive window of the client, then the packet
   >    is wrongly accepted.  How  do we handle this issue ?
   >
   > The packet is not accepted.  If you get a SYN while in established state
   > then you are supposed to send a reset.  At least, that's how TCP used to
   > work.
   
   It is not that simple I think. What about a duplicate SYN resulted from a
   SYN retransmission?
   If you get a "duplicate" SYN while in established state you are "NOT"
   suppose to send a RST.

No, I meant a SYN with a sequence number that's within the valid window
(which is what the original question was asking).  It's not a duplicate.




More information about the end2end-interest mailing list