Sprezzatech: Expert UNIX/HPC consulting and custom development.
Syncookies
From blackwiki
DJB's page: http://cr.yp.to/syncookies.html
Issues with DJB's Writeup
- "SYN cookies 'do not allow to use TCP extensions' such as large windows. Reality: SYN cookies don't hurt TCP extensions. A connection saved by SYN cookies can't use large windows; but the same is true without SYN cookies, because the connection would have been destroyed."
- This is only true for machines expected to suffer SYNflood attacks.
- The usefulness of TCP Large Window Extensions and SACK means I disable SYNcookies on internal machines
- Linux 2.6.26 added support for encoding some options into timestamps (see this LWN article).
Other Issues
- Only eight distinct MSS values can be chosen, due to only three bits for MSS in the 32 bits of a SYNcookie
Other Mitigations for SYNfloods
- SYNproxying by a powerful intermediary
google+