SYN-Cookies

Under SYN Cookies' means a developed in 1996 by Daniel J. Bernstein method of protection against SYN flood attacks. These are a form of denial-of- service attack, in which the computer will be attacked provoked by massive opening connections to use their own resources to keeping open the connections.

Connection with TCP

In the manufacture of a conventional TCP connection, the so-called three-way handshake, a client sends a first SYN packet to the server. It stores the message and responds with a SYN / ACK packet. Finally, the client sends an ACK packet to the server, and the connection is established.

Extension to SYN cookies

The Transmission Control Protocol ( TCP) does not specify the initial value of the sequence number of the SYN / ACK packets. So the server can use them to encode information that he otherwise in a table of half-open TCP connections would save. Since therefore there is no such a table, it can not crowded, so a SYN flood attack may not lead to a Denial of Service ( DOS).

Because the client counts the sequence number of TCP-SYN/ACK to be 1, TCP ACK packet contains the server-generated initial sequence number is incremented by 1. The server that is decremented by 1 again this and then compares it with the hash value of the package. If the two hashes do not match, the connection needs to be rebuilt, what the server the client sends a TCP RST packet.

Because the verification of the connection setup happening on the server, the hash function implementation can basically be defined arbitrarily; However, it should be as random as possible in order to avoid safety risks. This procedure is for the client transparently, so connections between remote sites can be built regardless of whether they use SYN cookies.

Content of the initial sequence number

  • Timestamp with a resolution of 64 seconds
  • Maximum segment size
  • Hash function on: Sender and receiver IP address
  • Ports
  • Timestamp with a resolution of 64 seconds
  • A secret known only to the server value (if any ) changes in large intervals

The hash function is not specified in its RFC 4987 and can therefore be freely chosen.

SYN-Flood Acknowledge character Random number
758179
de