Questions on syn_cookies

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I read Wikipedia's definition of SYN Cookies, and also read
Stevens' "TCP/IP Illustrated" vol 1, pages 231-232, describing
the connection establishment protocol (the "three-way handshake"),
and I'm kind of drawing a blank.

It seems from Stevens' description that the sequence numbers
for each end are completely independent, and that the idea is
that the other end follows the received SN.

 From the description of syn_cookies, it would seem like the
server has some secret information that a client has to know
to be accepted.

Can someone shed some light on this?

A second question -- on a Linux machine, I know I just have to
put a 1 in the file /proc/sys/net/ipv4/tcp_syncookies to enable
the feature.  My question is:  is it simply a matter of enabling
that feature, and it will be completely, 100% transparent to all
clients in all possible conditions?  Or will the server suffer
some strange side-effects and there would be some additional
steps to take so that things can work?  (I'm talking about a
web server)



Re: Questions on syn_cookies

First some bg.
In TCP the client sends an "SYN" to the server. Without syn cookies the
client's ip and port are placed in a database.  This leads to a DDOS
were hundreads of half-open connections are formed.  With syn cookies
no such DB is needed.  Instead the SYN-ACK response contains a sequence
number that will allow an ACK to establish a connection if the ACK has
the number. This method is less common, but is supported by TCP, and so
is transparant. Nothing else needs to be set up.

Site Timeline