Re: Excellent host SYN-attack fix for BSD hosts

[casper () holland Sun COM (Casper Dik)]

> According to Avi Freedman:
> > contains a few bits for reference into a table of MSS values; window size
> > and any initial data is discarded; and the rest of the ISS is the MD5 output
>
> It will also break T/TCP I think. While it is not a big issue at the moment
> it may become a real one later. Stevens in his thirs volume describe why
> T/TCP is a good thing and it will be seen more and more in the future.


It will not necessarily break T/TCP.  T/TCP is supposed to be compatible w/
TCP and I think you can pretend that you only ack'ed the SYN rather than the
data + FIN that come with T/TCP in the same packet.

There are some options that are only send with SYN and which may need to be
encoded, and you may quickly run out of sufficient bits to prevent entering
through a "SYN" filter.

If you insist on SYN-cookies, make sure you use them as fall-back strategy only.
I.e., when the queue is (near) full.

As for T/TCP, Steven's book is inconsistent in saying that it is compatible
first and then saying it really is not as soon as your packets are bigger than
the MAXMSS (as soon as the fragments arrive out of order, you're in trouble)

So T/TCP is only benificial of reply & response fit in 500 or so bytes,
such transactions are a-typical, even for HTTP for which T/TCP was originally
developed (most replies are much longer)

Casper