[e2e] ISN regeneration when Stateless SYN cookies are used
Mahesh Sooriyabandara
mahesh at erg.abdn.ac.uk
Thu Oct 18 09:31:15 PDT 2001
> > I had a question about the Stateless SYN
> > cookie approach to solve the Denial of Service attack.
> > The linux kernel has implemented this for quite some
> > time now. ...
> >
> > In the meantime the client gets the OLD SYN and it accepts
> > it and the connection goes to established state. A TCB is
> > created.
> >
> > Now when the new SYN+ACK arrives and if the new ISN falls
> > within the Receive window of the client, then the packet
> > is wrongly accepted. How do we handle this issue ?
> >
> > The packet is not accepted. If you get a SYN while in established state
> > then you are supposed to send a reset. At least, that's how TCP used to
> > work.
>
> It is not that simple I think. What about a duplicate SYN resulted from a
> SYN retransmission?
> If you get a "duplicate" SYN while in established state you are "NOT"
> suppose to send a RST.
>
> No, I meant a SYN with a sequence number that's within the valid window
> (which is what the original question was asking). It's not a duplicate.
Yes I agree.
More information about the end2end-interest
mailing list