[e2e] ISN regeneration when Stateless SYN cookies are used
Michael B Greenwald
mbgreen at dsl.cis.upenn.edu
Thu Oct 18 08:49:10 PDT 2001
Thu, 18 Oct 2001 16:47:19 +0100
Mahesh Sooriyabandara <mahesh at erg.abdn.ac.uk>
> I had a question about the Stateless SYN
> cookie approach to solve the Denial of Service attack.
> The linux kernel has implemented this for quite some
> time now. ...
>
> In the meantime the client gets the OLD SYN and it accepts
> it and the connection goes to established state. A TCB is
> created.
>
> Now when the new SYN+ACK arrives and if the new ISN falls
> within the Receive window of the client, then the packet
> is wrongly accepted. How do we handle this issue ?
>
> The packet is not accepted. If you get a SYN while in established state
> then you are supposed to send a reset. At least, that's how TCP used to
> work.
It is not that simple I think. What about a duplicate SYN resulted from a
SYN retransmission?
If you get a "duplicate" SYN while in established state you are "NOT"
suppose to send a RST.
No, I meant a SYN with a sequence number that's within the valid window
(which is what the original question was asking). It's not a duplicate.
More information about the end2end-interest
mailing list