Skip to content

Commit 5c1a445

Browse files
llpetersonllpeterson
committed
SYN cookies
1 parent 34d4bc6 commit 5c1a445

File tree

1 file changed

+19
-7
lines changed

1 file changed

+19
-7
lines changed

firewall.rst

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -738,18 +738,30 @@ implementation of IP would be at risk of not being able to forward
738738
packets at line speed if it's busy processing the options. For this
739739
reason, routers typically implement a "fast path" that is able to keep
740740
pace with line speeds and a "slow path" that processes exceptional
741-
packets, and most importantly, they are able to quickly determine
742-
which path each packet should be assigned to. This is a variant of the
743-
second countermeasure—decide early to protect resources.
741+
packets, and most importantly, they quickly determine which path each
742+
packet should be assigned to. This is a variant of the second
743+
countermeasure—decide early to protect resources.
744744

745745
Another well-known example is a "SYN Flood" targeting TCP, whereby an
746746
attacker floods a server with SYN requests without any intent to
747747
complete the TCP handshake and actually establish a connection. This
748748
overloads TCP's connection table, potentially denying connections to
749-
legitimate clients. These examples is just two of many, forcing
750-
protocol implementers to program defensively. Addressing this
751-
challenge ventures outside the scope of this book, but the following
752-
reference explores the problem in more depth.
749+
legitimate clients. An IDS/IPS can help protect servers since a flood
750+
of SYN packets is anomalous behavior, but individual servers can also
751+
limit the impact by encoding connection state in the sequence number
752+
included in the SYN+ACK they send back to the client—a "SYN cookie" of
753+
sorts—and then allocate connection state locally only after the client
754+
goes to the trouble of correctly ACK'ing that packet. This is a
755+
variant of the first countermeasure in that it forces the attacker to
756+
use additional resources.
757+
758+
These examples are just two of many illustrating the need to program
759+
defensively. This is especially true for protocols that are purposely
760+
designed to process data from remote sources, exposing them to
761+
attempts to crash, hack, or as in the case of DoS attacks, simply
762+
consume the system. This topic ventures outside the scope of the book,
763+
but the following reference explores one approach addressing the
764+
challenge.
753765

754766
.. admonition:: Further Reading
755767

0 commit comments

Comments
 (0)