Check out my first novel, midnight's simulacra!

Syncookies: Difference between revisions

From dankwiki
No edit summary
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 4: Line 4:
* "SYN cookies 'do not allow to use TCP extensions' such as large windows. Reality: SYN cookies don't hurt TCP extensions. A connection saved by SYN cookies can't use large windows; but the same is true without SYN cookies, because the connection would have been destroyed."
* "SYN cookies 'do not allow to use TCP extensions' such as large windows. Reality: SYN cookies don't hurt TCP extensions. A connection saved by SYN cookies can't use large windows; but the same is true without SYN cookies, because the connection would have been destroyed."
** This is only true for machines expected to suffer SYNflood attacks.
** This is only true for machines expected to suffer SYNflood attacks.
** The usefulness of TCP Large Window Extensions means I disable SYNcookies on internal machines
** The [[TCP|usefulness of TCP Large Window Extensions]] and [[TCP|SACK]] means I disable SYNcookies on internal machines
*** Linux 2.6.26 added support for encoding some options into timestamps (see [http://lwn.net/Articles/277146/ this LWN article]).
 
==Other Issues==
* Only eight distinct [[TCP|MSS]] values can be chosen, due to only three bits for MSS in the 32 bits of a SYNcookie
 
==Other Mitigations for SYNfloods==
* SYNproxying by a powerful intermediary
[[CATEGORY: Networking]]
[[CATEGORY: Offensive Computing]]

Latest revision as of 02:25, 20 May 2011

DJB's page: http://cr.yp.to/syncookies.html

Issues with DJB's Writeup

  • "SYN cookies 'do not allow to use TCP extensions' such as large windows. Reality: SYN cookies don't hurt TCP extensions. A connection saved by SYN cookies can't use large windows; but the same is true without SYN cookies, because the connection would have been destroyed."

Other Issues

  • Only eight distinct MSS values can be chosen, due to only three bits for MSS in the 32 bits of a SYNcookie

Other Mitigations for SYNfloods

  • SYNproxying by a powerful intermediary