User: Password:
Subscribe / Log in / New account



Posted Apr 11, 2008 15:14 UTC (Fri) by Randakar (guest, #27808)
In reply to: Compression? by jzbiciak
Parent article: Improving syncookies

One consideration is that with DOS attacks the attacker is trying to make the receiving end do
as much work as possible for as little cost to the attacker as possible. So with this
implementation he'd use an odd combination of option flags to make your server burn as much
bandwidth as possible. More than he is using in sending out SYN packets.

You can't really put more data in your ACK than he is putting in his SYN or you will lose.

Good security requires careful thought :-)

(Log in to post comments)


Posted Apr 14, 2008 20:42 UTC (Mon) by jzbiciak (subscriber, #5246) [Link]

I don't know that such a lookup is terribly expensive at all.  If someone shows up with
options that aren't in your "greatest hits" list, you don't need to update anything until the
person makes a complete connection.

Initially, syncookies don't even get engaged at all anyway.  Once they do get engaged, all
you're left with is a table lookup to find hit/miss in the greatest hits table, and a version
of the existing cryptographic hash if the pattern's a miss.  With a properly designed
(non-cryptographic) hash for the "greatest hits" lookup, that should go very quickly and
cheaply, and can even save you from doing the cryptographic hash for the syncookie.  You could
actually end up ahead of the curve in terms of computational load.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds