Preventing Connection Table Flooding using SYN-Cookies

To avoid filling up its connection table during SYN-flood-based Denial of Service (DoS) attacks, the CSM uses SYN-cookies, which were covered briefly in Chapter 4. With SYN-flood attacks, the attacker sets random source IP addresses in numerous SYN packets that it sends to its victim. The victim receives the SYN packet, creates an entry in its connection table, responds with a TCP SYN-ACK packet, and awaits the final ACK segment from the sender. The final segment never arrives. Thus, the victim's connection fills very quickly with incomplete TCP connection entries.

However, with SYN-cookies, instead of allocating a record for every SYN segment from its clients, the CSM sends SYN-ACK segments with carefully constructed sequence numbers generated as a hash of connection's 4-tuple, the Maximum Segment Size, and a secret that continuously changes as time goes by. The connection 4-tuple contains the source and destination IP addresses and source and destination ports. When valid clients respond to the SYN-ACK with an ACK, they will include this special sequence number, which the CSM can verify before creating the connection entry. Without SYN-cookies, the CSM creates connection entries when it receives the initial SYN packet from clients. With SYN-cookies, the CSM creates the connection when it verifies the client's ACK segment to complete the connection. Because SYN-flood attackers typically do not respond to SYN-ACK segments, the SYN-flood traffic will not flood the CSM's connection table. Figure 11-7 illustrates SYN-cookies in practice.

Figure 11-7. Using SYN-Cookies to Prevent SYN-Flood Traffic from Flooding the CSM Connection Table