Re: Excellent host SYN-attack fix for BSD hosts

[jaw () Op Net (Jeff Weisberg)]

"Charles M. Hannum" <mycroft () mit edu> commented:
| Avi Freedman <freedman () netaxs com> writes:
| > No state is kept locally; when a SYN is received, an ISS is generated that
| > contains a few bits for reference into a table of MSS values; window size
| > and any initial data is discarded; and the rest of the ISS is the MD5 output
| > of a 32-byte secret and all of the interesting header info.
|
| This doesn't seem to deal with window scaling, which is a big lose on
| high-bandwidth networks.

no, it does not handle window scaling. The code was written for SunOS,
which does not support window scaling. This would be fairly
simple to add for hosts which support it.

also, my code has hooks for dynamically deciding whether or not we
save state or not.


| It also breaks TCP's algorithm for
| recognizing stale data.

how so?

I admit that in writing the code, I was far more concerned with stopping
the attack we were under, than I was in any theoretical reliability concerns,
but the way we generate the iss (which I cannot take credit for), we will
not get values that are slightly less than a previous one for a given set of
{saddr,sport, daddr,dport} which should suffice for the above concern.


        --jeff