Check out my first novel, midnight's simulacra!
Syncookies: Difference between revisions
From dankwiki
No edit summary |
|||
| Line 12: | Line 12: | ||
==Other Mitigations for SYNfloods== | ==Other Mitigations for SYNfloods== | ||
* SYNproxying by a powerful intermediary | * SYNproxying by a powerful intermediary | ||
[[CATEGORY: Networking]] | |||
[[CATEGORY: Offensive Computing]] | |||
Latest revision as of 02:25, 20 May 2011
DJB's page: http://cr.yp.to/syncookies.html
Issues with DJB's Writeup
- "SYN cookies 'do not allow to use TCP extensions' such as large windows. Reality: SYN cookies don't hurt TCP extensions. A connection saved by SYN cookies can't use large windows; but the same is true without SYN cookies, because the connection would have been destroyed."
- This is only true for machines expected to suffer SYNflood attacks.
- The usefulness of TCP Large Window Extensions and SACK means I disable SYNcookies on internal machines
- Linux 2.6.26 added support for encoding some options into timestamps (see this LWN article).
Other Issues
- Only eight distinct MSS values can be chosen, due to only three bits for MSS in the 32 bits of a SYNcookie
Other Mitigations for SYNfloods
- SYNproxying by a powerful intermediary
