Skip to main content

Improving the Functionality of SYN Cookies

  • Chapter

Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT,volume 100)

Abstract

Current Linux kernels include a facility called TCP SYN cookies, conceived to face SYN flooding attacks. However, the current implementation of SYN cookies does not support the negotiation of TCP options, although some of them are relevant for throughput performance, such as large windows or selective acknowledgment. In this paper we present an improvement of the SYN cookie protocol, using all the current mechanisms for generating and validating cookies while allowing connections negotiated with SYN cookies to set up and use any TCP options. The key idea is to exploit a kind of TCP connection called “simultaneous connection initiation” in order to lead client hosts to send together TCP options and SYN cookies to a server being attacked.

Keywords

  • SYN flooding attacks
  • SYN cookies
  • TCP options
  • simultaneous connection initiation.

The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35612-9_23

References

  1. D. J. Bernstein. SYN cookies. http://www.cr.yp.to/syncookies.html.

  2. Syn cookies mailing list syncookies-archive@koobera. math.uic.edu. http://www.cr.yp.to/syncookies/archive.

  3. J. Postel. Transmission Control Protocol. RFC 793, September 1981. available via DDN Network Center.

    CrossRef  Google Scholar 

  4. S. Bellovin. Defending Against Sequence Number Attacks. RFC 1948, May 1996. available via DDN Network Center.

    Google Scholar 

  5. P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2267, January 1998. available via DDN Network Center.

    Google Scholar 

  6. Livio Ricciulli, Patrick Lincoln, and Pankaj Kakkar. TCP SYN Flooding Defense. In Comm. Net. and Dist. Systems Modeling and Simulation Conf. (CNDS’ 99),, 1999 Western MultiConf. (WMC’ 99)„ San Francisco, CAL, USA, January 1999.

    Google Scholar 

  7. Eric Schenk. Another new thought on TCP SYN attacks, 1996. http://www.wcug.wwu.edu/lists/netdev/199609/msg00115.html.

  8. V. Jacobson and R. Braden. TCP Extensions for Long-Delay Paths. RFC 1072, October 1988. available via DDN Network Center.

    CrossRef  Google Scholar 

  9. V. Jacobson, R. Braden, and D. Borman. TCP Extensions for High Performance. RFC 1323, May 1992. available via DDN Network Center.

    Google Scholar 

  10. R. Braden. Requirements for Internet Hosts — Communication Layers. RFC 1122, October 1989. available via DDN Network Center.

    Google Scholar 

  11. Q. Xie, K. Morneault, C. Sharp, H. Schwarzbauer, T. Taylor, I. Rytina, M. Kalla, L. Zhang, and V. Paxson. Stream Control Transmission Protocol. RFC 2960, October 2000. available via DDN Network Center.

    Google Scholar 

  12. Fyodor. Remote OS detection via TCP/IP Stack FingerPrinting, October 1998. http://www.insecure.org/nmap/nmap-fingerprinting-article.html.

    Google Scholar 

  13. Burak Dayioglu and Attila Özgit. Use of Passive Network Mapping to Enhance Signature Quality of Misuse Network Intrusion Detection Systems. In 16th Int. Symp. on Computer and Information Sciences, November 2001.

    Google Scholar 

  14. Honeynet Project. Know Your Enemy: Passive Fingerprinting. White Paper, January 2002. http://www.project.honeynet.org.

    Google Scholar 

  15. Matthew Smart, G. Robert Malan, and Farnam Jahanian. Defeating TCP/IP Stack Fingerprinting. In Proc. of the 9th USENIX Security Symp., 2000.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2002 IFIP International Federation for Information Processing

About this chapter

Cite this chapter

Zúquete, A. (2002). Improving the Functionality of SYN Cookies. In: Jerman-Blažič, B., Klobučar, T. (eds) Advanced Communications and Multimedia Security. IFIP — The International Federation for Information Processing, vol 100. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35612-9_6

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-35612-9_6

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4757-4405-7

  • Online ISBN: 978-0-387-35612-9

  • eBook Packages: Springer Book Archive