[e2e] ISN regeneration when Stateless SYN cookies are used
Mahesh Sooriyabandara
mahesh at erg.abdn.ac.uk
Thu Oct 18 08:47:19 PDT 2001
> I had a question about the Stateless SYN
> cookie approach to solve the Denial of Service attack.
> The linux kernel has implemented this for quite some
> time now. ...
>
> In the meantime the client gets the OLD SYN and it accepts
> it and the connection goes to established state. A TCB is
> created.
>
> Now when the new SYN+ACK arrives and if the new ISN falls
> within the Receive window of the client, then the packet
> is wrongly accepted. How do we handle this issue ?
>
> The packet is not accepted. If you get a SYN while in established state
> then you are supposed to send a reset. At least, that's how TCP used to
> work.
It is not that simple I think. What about a duplicate SYN resulted from a
SYN retransmission?
If you get a "duplicate" SYN while in established state you are "NOT"
suppose to send a RST.
More information about the end2end-interest
mailing list