论文信息 - Improving the functionality of syn cookies

Improving the functionality of syn cookies

Current Linux kernels include a facility called TCP SYN cookies, conceived to face SYN flooding attacks. However, the current implementation of SYN cookies does not support the negotiation of TCP options, although some of them are relevant for throughput performance, such as large windows or selective acknowledgment. In this paper we present an improvement of the SYN cookie protocol, using all the current mechanisms for generating and validating cookies while allowing connections negotiated with SYN cookies to set up and use any TCP options. The key idea is to exploit a kind of TCP connection called “simultaneous connection initiation” in order to lead client hosts to send together TCP options and SYN cookies to a server being attacked.

André Zúquete | A. Zúquete

[1] Craig Smith,et al. Know Your Enemy : Passive Fingerprinting , 2001 .

[2] Patrick Lincoln,et al. TCP SYN Flooding Defense , 1999 .

[3] Paul Ferguson,et al. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[4] Farnam Jahanian,et al. Defeating TCP/IP Stack Fingerprinting , 2000, USENIX Security Symposium.

[5] Robert T. Braden,et al. Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[6] Steven M. Bellovin,et al. Defending against Sequence Number Attacks , 2012, RFC.

[7] Van Jacobson,et al. TCP extensions for long-delay paths , 1988, RFC.

[8] Van Jacobson,et al. TCP Extensions for High Performance , 1992, RFC.

[9] Burak Dayioglu,et al. USE OF PASSIVE NETWORK MAPPING TO ENHANCE SIGNATURE QUALITY OF MISUSE NETWORK INTRUSION DETECTION SYSTEMS , 2001 .