SYN cookies
Encyclopedia
SYN Cookies are the key element of a technique used to guard against SYN flood
attacks. Daniel J. Bernstein
, the technique's primary inventor, defines SYN Cookies as "particular choices of initial TCP
sequence numbers by TCP servers." In particular, the use of SYN Cookies allows a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue had been enlarged. The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry. If the server then receives a subsequent ACK response from the client, the server is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number.
The initial TCP sequence number, i.e. the SYN Cookie, is computed as follows:
(Note: since m must be encoded using 3 bits, the server is restricted to sending up to 8 unique values for m when SYN Cookies are in use.)
When a client sends back a TCP ACK packet to the server in response to the server's SYN+ACK packet, the client MUST (according to the TCP spec) use n+1 in the packet's Acknowledgement number, where n is the initial sequence number sent by the server. The server then subtracts 1 from the acknowledgement number to reveal the SYN Cookie sent to the client.
The server then performs the following operations.
From this point forward, the connection proceeds as normal.
While these restrictions necessarily lead to a sub-optimal experience, their effect is rarely noticed by clients. Furthermore, these restrictions need only apply when the server is under attack, and the connection would have otherwise been denied. In such a situation, the loss of a few of the more esoteric options in order to save the connection is usually a reasonable compromise. Version 2.6.26 of the Linux kernel added limited support of TCP options, by encoding them into the timestamp.
The newer TCP Cookie Transactions
(TCPCT) standard is designed to overcome these shortcomings of SYN cookies and improve it on a couple of aspects. Unlike SYN cookies, TCPCT is a TCP extension and requires support from both endpoints.
and Eric Schenk in September 1996. The first implementation for SunOS
was released by Jeff Weisberg a month later, and Eric Schenk released his Linux
implementation in February 1997 (the current implementation uses e.g. net.ipv4.tcp_syncookies).
SYN flood
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.-Technical details:...
attacks. Daniel J. Bernstein
Daniel J. Bernstein
Daniel Julius Bernstein is a mathematician, cryptologist, programmer, and professor of mathematics at the University of Illinois at Chicago...
, the technique's primary inventor, defines SYN Cookies as "particular choices of initial TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
sequence numbers by TCP servers." In particular, the use of SYN Cookies allows a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue had been enlarged. The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry. If the server then receives a subsequent ACK response from the client, the server is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number.
Implementation
In order to initiate a TCP connection, the client sends a TCP SYN packet to the server. In response, the server sends a TCP SYN+ACK packet back to the client. One of the values in this packet is a sequence number, which is used by the TCP protocol to reassemble the data stream. According to the TCP specification, that first sequence number sent by an endpoint can be any value as decided by that endpoint. SYN Cookies are initial sequence numbers that are carefully constructed according to the following rules:- let t = A slowly-incrementing timestamp (typically time logically right-shiftedLogical shiftIn computer science, a logical shift is a bitwise operation that shifts all the bits of its operand. Unlike an arithmetic shift, a logical shift does not preserve a number's sign bit or distinguish a number's exponent from its mantissa; every bit in the operand is simply moved a given number of bit...
6 positions, which gives a 64 second resolution) - let m = The maximum segment sizeMaximum segment sizeThe maximum segment size is a parameter of the TCP protocol that specifies the largest amount of data, specified in octets, that a computer or communications device can receive in a single TCP segment, and therefore in a single IP datagram. It does not count the TCP header or the IP header...
(MSS) value that the server would have stored in the SYN queue entry - let s = The result of a cryptographic secret function computed over the server IP address and port number, the client IP address and port number, and the value t. The returned value s must be a 24-bit value.
The initial TCP sequence number, i.e. the SYN Cookie, is computed as follows:
- First 5 bits: t modModulo operationIn computing, the modulo operation finds the remainder of division of one number by another.Given two positive numbers, and , a modulo n can be thought of as the remainder, on division of a by n...
32 - Next 3 bits: an encoded value representing m
- Final 24 bits: s
(Note: since m must be encoded using 3 bits, the server is restricted to sending up to 8 unique values for m when SYN Cookies are in use.)
When a client sends back a TCP ACK packet to the server in response to the server's SYN+ACK packet, the client MUST (according to the TCP spec) use n+1 in the packet's Acknowledgement number, where n is the initial sequence number sent by the server. The server then subtracts 1 from the acknowledgement number to reveal the SYN Cookie sent to the client.
The server then performs the following operations.
- Checks the value t against the current time to see if the connection is expired.
- Recomputes s to determine whether this is, indeed, a valid SYN Cookie.
- Decodes the value m from the 3-bit encoding in the SYN Cookie, which it then can use to reconstruct the SYN queue entry.
From this point forward, the connection proceeds as normal.
Drawbacks
The use of SYN Cookies does not break any protocol specifications, and therefore should be compatible with all TCP implementations. There are, however, three caveats that take effect when SYN Cookies are in use. First, the server is limited to only 8 unique MSS values, as that's all that can be encoded in 3 bits. Second, the server must reject all TCP options (such as large windows), because the server discards the SYN queue entry where that information would otherwise be stored. Third, a connection may freeze when the final ACK of the three-way handshake is lost and the client first awaits data from the server (i.e. client has completed the three-way handshake, server did not receive the client's ACK and thus has not actually opened the connection).While these restrictions necessarily lead to a sub-optimal experience, their effect is rarely noticed by clients. Furthermore, these restrictions need only apply when the server is under attack, and the connection would have otherwise been denied. In such a situation, the loss of a few of the more esoteric options in order to save the connection is usually a reasonable compromise. Version 2.6.26 of the Linux kernel added limited support of TCP options, by encoding them into the timestamp.
The newer TCP Cookie Transactions
TCP Cookie Transactions
In computer networking, TCP Cookie Transactions is an extension of Transmission Control Protocol intended to secure it against denial-of-service attacks, such as resource exhaustion by SYN flooding and malicious connection termination by third parties...
(TCPCT) standard is designed to overcome these shortcomings of SYN cookies and improve it on a couple of aspects. Unlike SYN cookies, TCPCT is a TCP extension and requires support from both endpoints.
History
The technique was created by Daniel J. BernsteinDaniel J. Bernstein
Daniel Julius Bernstein is a mathematician, cryptologist, programmer, and professor of mathematics at the University of Illinois at Chicago...
and Eric Schenk in September 1996. The first implementation for SunOS
SunOS
SunOS is a version of the Unix operating system developed by Sun Microsystems for their workstation and server computer systems. The SunOS name is usually only used to refer to versions 1.0 to 4.1.4 of SunOS...
was released by Jeff Weisberg a month later, and Eric Schenk released his Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
implementation in February 1997 (the current implementation uses e.g. net.ipv4.tcp_syncookies).