[e2e] ISN regeneration when Stateless SYN cookies are used
gangadharan annapurna
nallu17 at hotmail.com
Thu Oct 18 00:04:10 PDT 2001
Hi folks,
I had a question about the Stateless SYN
cookie approach to solve the Denial of Service attack.
The linux kernel has implemented this for quite some
time now.
So basically when we get an incoming SYN we send back a
SYN+ACK with the ISN generated as
ISN = f(t) + MD5(Sport,Saddress,Dport,Daddress,secret1)
where
f(t) is a monotonically increasing function of time
Secret1 is a boot time generated secret number
However lets assume the SYN+ACk that we sent back got
delayed and the client sends a new SYN request. And
the server sends back a new SYN+ACK and regenerates the
a new ISN. Note that we are not preserving any state
so the ISN we sent back the first time cannot be regenerated
again.
In the meantime the client gets the OLD SYN and it accepts
it and the connection goes to established state. A TCB is
created.
Now when the new SYN+ACK arrives and if the new ISN falls
within the Receive window of the client, then the packet
is wrongly accepted. How do we handle this issue ?
thanks
Naren
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
More information about the end2end-interest
mailing list