Question

P29 SYN cookies were discussed in Section 3.5.6.

a. Why is it necessary for the server to use a special initial sequence number in SYNACK?

b. Suppose an attacker knows that a target host uses SYN cookies. Can the attacker create half-open or fully open connections by simply sending an ACK packet to the target? Why or why not?

c. Suppose an attacker collects large amount of initial sequence numbers sent by the server. Can the attacker cause the server to create many fully open connections by sending ACKs with those initial sequence numbers? Why?

Text book-----Jim Kurose and Keith Ross,”Computer Networking – A Top-Down Approach”, Addison-Wesley, Seventh Edition, 2017. ISBN-13: 978-0-13-359414-0

Answer 1

1. Special initial sequence number is formed by hashing source and destination IP address and ports in order to defend against SYN flood attacks.
2. No, the attacker cannot able to create half-open or fully open connection by sending an ACK packet to target.

Half connection are not possible because server using SYN cookies does not store/maintain any connection variables or buffers for any connection before full connections.

While in case of fully open connection, connection is possible if and only if an attacker have special initial sequence number corresponding to IP address of victim machine plus a secret key used by server. Since attacker cant able to get this secret key, Hence attacker cannot able to guess the initial sequence number and hence fully open connection is not possible.

c) No, initial sequence is formed by adding time stamp and time to live .So even if attacker have initial sequence number it has of no use as server will discard the expired initial sequence.