1

Following is a snippet of code from linux kernel. It includes the seq of client in syn-cookie. The problem with this scheme is that if the first packet from client get's dropped, the connection will get reset on the second packet. My question is why do you need to include the client sequence number in the SYN cookie?

static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
        __be16 dport, __u32 sseq, __u32 count,
        __u32 data)
{

    /*
     * Compute the secure sequence number.
     * The output should be:
     *   HASH(sec1,saddr,sport,daddr,dport,sec1) + sseq + (count * 2^24)
     *      + (HASH(sec2,saddr,sport,daddr,dport,count,sec2) % 2^24).
     * Where sseq is their sequence number and count increases every
     * minute by 1.
     * As an extra hack, we add a small "data" value that encodes the
     * MSS into the second hash value.
     */

    return (cookie_hash(saddr, daddr, sport, dport, 0, 0) +
            sseq + (count << COOKIEBITS) +
            ((cookie_hash(saddr, daddr, sport, dport, count, 1) + data)
                    & COOKIEMASK));
}
4

1 回答 1

1

sseq 编号包含在散列操作中,以便在 cookie 中获得更多状态信息。它的一般概念是,当多个不相交的信息一起煮熟时,哈希变得更加健壮。而且,关于您担心 conn 在第二个 syn 案例中被重置,是的,它会发生,这就是意图。不仅如此,syn cookie 通常只有在检测到服务器受到威胁时才会启用。

请在此处阅读有关 syn-cookie 实现的大量详细信息以及为什么 sseq 编号是输入参数之一。

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html

于 2013-10-04T06:28:23.043 回答