hi folks, I had a question about the Stateless SYN cookie approach to solve the Denial of Service attack. The linux kernel has implemented this for quite some time now. So basically when we get an incoming SYN we send back a SYN+ACK with the ISN generated as ISN = f(t) + MD5(Sport,Saddress,Dport,Daddress,secret1) where f(t) is a monotonically increasing function of time Secret1 is a boot time generated secret number However lets assume the SYN+ACk that we sent back got delayed and the client sends a new SYN request. And the server sends back a new SYN+ACK and regenerates the a new ISN. Note that we are not preserving any state so the ISN we sent back the first time cannot be regenerated again. In the meantime the client gets the OLD SYN and it accepts it and the connection goes to established state. A TCB is created. Now when the new SYN+ACK arrives and if the new ISN falls within the Receive window of the client, then the packet is wrongly accepted. How are we handling this issue ? Naren _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
