SYN Cookie is a stateless SYN Proxy mechanism you can use in conjunction with
the defenses against a SYN Flood attack described in “SYN Flood” on page 40. Like
traditional SYN proxying, SYN Cookie is activated when the SYN Flood attack
threshold is exceeded, but because SYN Cookie is stateless, it does not set up a
session or do policy and route lookups upon receipt of a SYN segment, and
maintains no connection request queues. This dramatically reduces CPU and
memory usage and is the primary advantage of using SYN Cookie over the
traditional SYN proxying mechanism.
When SYN Cookie is enabled on the security device and becomes the
TCP-negotiating proxy for the destination server, it replies to each incoming SYN
segment with a SYN/ACK containing an encrypted cookie as its Initial Sequence
Number (ISN). The cookie is a MD5 hash of the original source address and port
number, destination address and port number, and ISN from the original SYN
packet. After sending the cookie, the device drops the original SYN packet and
deletes the calculated cookie from memory. If there is no response to the packet
containing the cookie, the attack is noted as an active SYN attack and is effectively
stopped.
If the initiating host responds with a TCP packet containing the cookie +1 in the
TCP ACK field, the device extracts the cookie, subtracts 1 from the value, and
recomputes the cookie to validate that it is a legitimate ACK. If it is legitimate, the
device starts the TCP proxy process by setting up a session and sending a SYN to
the server containing the source information from the original SYN. When the
device receives a SYN/ACK from the server, it sends ACKs to the sever and to the
initiation host. At this point the connection is established and the host and server
are able to communicate directly.
the defenses against a SYN Flood attack described in “SYN Flood” on page 40. Like
traditional SYN proxying, SYN Cookie is activated when the SYN Flood attack
threshold is exceeded, but because SYN Cookie is stateless, it does not set up a
session or do policy and route lookups upon receipt of a SYN segment, and
maintains no connection request queues. This dramatically reduces CPU and
memory usage and is the primary advantage of using SYN Cookie over the
traditional SYN proxying mechanism.
When SYN Cookie is enabled on the security device and becomes the
TCP-negotiating proxy for the destination server, it replies to each incoming SYN
segment with a SYN/ACK containing an encrypted cookie as its Initial Sequence
Number (ISN). The cookie is a MD5 hash of the original source address and port
number, destination address and port number, and ISN from the original SYN
packet. After sending the cookie, the device drops the original SYN packet and
deletes the calculated cookie from memory. If there is no response to the packet
containing the cookie, the attack is noted as an active SYN attack and is effectively
stopped.
If the initiating host responds with a TCP packet containing the cookie +1 in the
TCP ACK field, the device extracts the cookie, subtracts 1 from the value, and
recomputes the cookie to validate that it is a legitimate ACK. If it is legitimate, the
device starts the TCP proxy process by setting up a session and sending a SYN to
the server containing the source information from the original SYN. When the
device receives a SYN/ACK from the server, it sends ACKs to the sever and to the
initiation host. At this point the connection is established and the host and server
are able to communicate directly.
'Hacking' 카테고리의 다른 글
| Wardriving Evolves Into Warflying (0) | 2011.08.05 |
|---|---|
| IM Server (1) | 2011.08.03 |
| A successful DoS attack overwhelms its victim with such a massive barrage of false (0) | 2011.07.28 |
| Firewall DoS Attacks (0) | 2011.07.28 |
| IP Spoofing (1) | 2011.07.28 |
