[e2e] ISN regeneration when Stateless SYN cookies are used

Mahesh Sooriyabandara mahesh at erg.abdn.ac.uk
Thu Oct 18 09:31:15 PDT 2001


>    >    I had a question about the Stateless SYN
>    >    cookie approach to solve the Denial of Service attack.
>    >    The linux kernel has implemented this for quite some
>    >    time now. ...
>    >
>    >    In the meantime the client gets the OLD SYN and it accepts
>    >    it and the connection goes to established state. A  TCB is
>    >    created.
>    >
>    >    Now when the new SYN+ACK arrives and if the new ISN falls
>    >    within the Receive window of the client, then the packet
>    >    is wrongly accepted.  How  do we handle this issue ?
>    >
>    > The packet is not accepted.  If you get a SYN while in established state
>    > then you are supposed to send a reset.  At least, that's how TCP used to
>    > work.
>
>    It is not that simple I think. What about a duplicate SYN resulted from a
>    SYN retransmission?
>    If you get a "duplicate" SYN while in established state you are "NOT"
>    suppose to send a RST.
>
> No, I meant a SYN with a sequence number that's within the valid window
> (which is what the original question was asking).  It's not a duplicate.

Yes I agree.




More information about the end2end-interest mailing list