SYN cookies

SYN cookies

SYN Cookies are the key element of a technique used to guard against SYN flood attacks. Daniel J. Bernstein, the technique's primary inventor, defines SYN Cookies as "particular choices of initial TCP sequence numbers by TCP servers." In particular, the use of SYN Cookies allows a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue had been enlarged. The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry. If the server then receives a subsequent ACK response from the client, the server is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number.

Implementation

In order to initiate a TCP connection, the client sends a TCP SYN packet to the server. In response, the server sends a TCP SYN+ACK packet back to the client. One of the values in this packet is a "sequence number", which is used by the TCP protocol to reassemble the data stream. According to the TCP specification, that first sequence number sent by an endpoint can be any value as decided by that endpoint. SYN Cookies are initial sequence numbers that are carefully constructed according to the following rules:

* let t = A counter incremented every 64 seconds
* let m = The Maximum segment size (MSS) value that the server would have stored in the SYN queue entry
* let s = The result of a cryptographic secret function computed over the server IP address and port number, the client IP address and port number, and the value t. The returned value "s " must be a 24-bit value.

The initial TCP sequence number, i.e. the "SYN Cookie", is computed as follows:
* First 5 bits: t mod 32
* Next 3 bits: an encoded value representing m
* Final 24 bits: s

"(Note: since m must be encoded using 3 bits, the server is restricted to sending up to 8 unique values for m when SYN Cookies are in use.)"

When a client sends back a TCP ACK packet to the server in response to the server's SYN+ACK packet, the client MUST (according to the TCP spec) use "n+1" in the packet's "Acknowledgement number", where "n" is the initial sequence number sent by the server. The server then subtracts 1 from the acknowledgement number to reveal the SYN Cookie sent to the client.

The server then performs the following operations.
* Checks the value t against the current time to see if the connection is expired.
* Recomputes s to determine whether this is, indeed, a valid SYN Cookie.
* Decodes the value m from the 3-bit encoding in the SYN Cookie, which it then can use to reconstruct the SYN queue entry.

From this point forward, the connection proceeds as normal.

Drawbacks

The use of SYN Cookies does not break any protocol specifications, and therefore should be compatible with all TCP implementations. There are, however, two caveats that take effect when SYN Cookies are in use. First, the server is limited to only 8 unique MSS values, as that's all that can be encoded in 3 bits. Second, the server must reject all TCP options (such as large windows), because the server discards the SYN queue entry where that information would otherwise be stored.

While these restrictions necessarily lead to a sub-optimal experience, their effect is rarely noticed by clients. Furthermore, these restrictions need only apply when the server is under attack, and the connection would have otherwise been denied. In such a situation, the loss of a few of the more esoteric options in order to save the connection is usually a reasonable compromise.

However, the 2.6.26 Linux kernel added limited support of TCP options. This is accomplished by encoding them into the timestamp.

History

The technique was created by Daniel J. Bernstein and Eric Schenk in September 1996. The first implementation for SunOS was released by Jeff Weisberg a month later, and Eric Schenk released his Linux implementation in February 1997 (the current implementation uses e.g. [http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN485 net.ipv4.tcp_syncookies] ).

External links

* [http://cr.yp.to/syncookies.html D. J. Bernstein's own explanation of SYN Cookies]


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • SYN-Cookies — Unter SYN Cookies versteht man einen im Jahr 1996 von Daniel J. Bernstein entwickelten Mechanismus zum Schutz vor SYN Flood Angriffen. Bei diesen handelt es sich um eine Form des Denial of Service Angriffs bei der der anzugreifende Rechner durch… …   Deutsch Wikipedia

  • SYN flooding — SYN flood Le SYN flood est une attaque informatique visant à atteindre un déni de service. Elle s applique dans le cadre du protocole TCP et consiste à envoyer une succession de requêtes SYN vers la cible. Sommaire 1 Principe 2 Historique 3… …   Wikipédia en Français

  • Syn flood — Le SYN flood est une attaque informatique visant à atteindre un déni de service. Elle s applique dans le cadre du protocole TCP et consiste à envoyer une succession de requêtes SYN vers la cible. Sommaire 1 Principe 2 Historique 3 Contre mesures …   Wikipédia en Français

  • Syn cookie — Les SYN cookies (syncookies) sont des valeurs particulières des numéros de séquences initiales générés par un serveur (ISN: Initial Sequence Number) lors d une demande de connexion TCP. La technique mise en œuvre permet notamment de se défendre… …   Wikipédia en Français

  • SYN-Cookie — Unter SYN Cookies versteht man einen im Jahr 1996 von Daniel J. Bernstein entwickelten Mechanismus zum Schutz vor Denial of Service Angriffen, genauer: SYN Flood Angriffen. Beim Herstellen einer herkömmlichen TCP Verbindung, dem sogenannten Drei… …   Deutsch Wikipedia

  • SYN flood — Le SYN flood est une attaque informatique visant à atteindre un déni de service. Elle s applique dans le cadre du protocole TCP et consiste à envoyer une succession de requêtes SYN vers la cible. Sommaire 1 Principe 2 Historique 3 Contre mesures …   Wikipédia en Français

  • SYN-Flooding — TCP Handshake Ein SYN Flood ist eine Form von Denial of Service Attacken auf Computersysteme. Der Angriff verwendet den Verbindungsaufbau des TCP Transportprotokolls, um einzelne Dienste oder ganze Computer aus dem Netzwerk unerreichbar zu machen …   Deutsch Wikipedia

  • SYN-Flood — TCP Handshake Ein SYN Flood ist eine Form der Denial of Service Attacke auf Computersysteme. Der Angriff verwendet den Verbindungsaufbau des TCP Transportprotokolls, um einzelne Dienste oder ganze Computer aus dem Netzwerk unerreichbar zu machen …   Deutsch Wikipedia

  • SYN flood — A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target s system [RFC 4987 TCP SYN Flooding Attacks and Common Mitigations] .When a client attempts to start a TCP connection to a… …   Wikipedia

  • SYN cookie — Les SYN cookies (syncookies) sont des valeurs particulières des numéros de séquences initiales générés par un serveur (ISN: Initial Sequence Number) lors d une demande de connexion TCP. La technique mise en œuvre permet notamment de se défendre… …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”