April 20, 2008 Leave a comment
An interesting cryptographic way to deal with syn floods is syn cookies. SYN floods are simply a bunch of syn packets from spoofed ip addresses, and are a fairly common dos attack. Some other ways to deal with these include increasing the syn queue size and decreasing the wait for reply time, but these don’t really solve the problem.
SYN cookies are built into the Linux kernel by default (though usually not enabled by default). You can find and configure this feature in proc/sys. For example, to enable them you could
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
syn cookies provide a way to build the syn number in a tcp handshake so that it can be used to reconstruct initial syn numbers of legitimate clients after they return the final ack (it checks it using a function and rebuilds the syn queue). This allows kernel resources to be reused that would normally be waiting on the connection after receiving the first syn.
A normal tcp handshake looks like:
Under a syn attack, most syn-acks sent by you (the target of the attack) will never respond with that final ack since they were falsely generated. syn cookies are an effective defense against this. A server that uses SYN cookies doesn’t have to drop connections when its SYN queue fills up.
For more information about syn cookies, see http://cr.yp.to/syncookies.html
For why it might not be enabled by default see: http://email@example.com/msg61116.html
Despite this, it probably make sense in many environments.