TCP SYN Cookie for handling SYN Flooding problem
Although TCP is widely used by many applications today, there’re still some drawbacks of this protocol. One of them is SYN Flooding problem. Let us first understand how TCP connection established.
1. When a TCP client want to connect to TCP server, TCP client will send initial TCP packet with SYN flag active. This packet contains sequence number (32 bit length), let say this seq. number is X.
2. When TCP Server receive this initial packet, then TCP server will send TCP packet contain SYN + ACK flag active. This packet contain:
1. next sequence number of TCP client’s packet which is = X+1
2. It’s own sequence number, let say this TCP server seq. number is = Y
TCP server will then allocate buffer to save this packet information.
3. TCP Client receive this SYN+ACK packet and then send the ACK packet to TCP server to acknowledge the TCP server’s next seq number which is = Y + 1
And then connection established
The problem is, if TCP client just follow 1st step and never send ACK packet as described at step 3, then TCP server will allocate memory buffer for bogus connection. Especially if TCP client spoof it’s IP address and send huge number of initial TCP SYN connection, then TCP server could crash because out of memory.
Using TCP SYN Cookie, TCP Server use special algorithm which you can read here, so on step 2 above, TCP server will never allocate buffer memory to save it’s own TCP SYN+ACK information. TCP server will be able to extract it’s sequence number if client send ACK that contain’s next sequence number.
SYN Cookie was created by Daniel J. Bernstein, creator of many open source software like QMail, djbdns and publicfile