[clug] DDOS using SYN cookies.

Craig Small csmall at enc.com.au
Wed Oct 1 23:25:27 GMT 2008

On Thu, Oct 02, 2008 at 02:07:46AM +1000, Sunnz wrote:
> Looks pretty serious, "there are no known mitigation" technique... now
> I don't completely understand this myself, I know that TCP initiates
> with a 3 way hand shake, but never know a SYN cookie is used to avoid
> DDOS attack... but now SYN cookies are used to do a DDOS?!

SYN cookies are used, or become useful, when the device is under attack.
Under normal circumstances, they might be calculated but they're not
actually used.  Once you are being hit by a SYN attack then your queue
of potiential (ie I got a SYN only) connections fills up, you cannot
take any more of them until they time out.

Then the SYN cookies come into play, you send back the SYN/ACK packet
and encode stuff in the packet but you don't remember anything about the
connection. You lose some TCP facilities but its better than nothing,
which is what you get without them.

I couldn't find too many details, but it looks like to me that the
attack generates cookies and sends them.  That seems a bit strange
because the cookie is supposed to have some secret encoded into them.
Perhaps there is a weakness with the secret, ie if I get one syn cookie
i can predict the others?

The mechanism where it completely locks you out even if the attack is
finished also seems strange. The implementations are supposed to handle
incoming connections normally if the queue becomes free or there is a
maximum overflow time after which it ignores the cookies. If the attack
stops, all the bogus items in the queue should timeout and give space in
the queue or alternatively the overflow timer will expire.

I'd be curious to see what DJB says about it.

 - Craig
Craig Small      GnuPG:1C1B D893 1418 2AF4 45EE  95CB C76C E5AC 12CA DFA5
http://www.enc.com.au/                             csmall at : enc.com.au
http://www.debian.org/          Debian GNU/Linux, software should be Free 

More information about the linux mailing list