From owner-freebsd-arch Wed Jul 18 13:58:19 2001 Delivered-To: freebsd-arch@freebsd.org Received: from femail2.sdc1.sfba.home.com (femail2.sdc1.sfba.home.com [24.0.95.82]) by hub.freebsd.org (Postfix) with ESMTP id 1541337B406 for ; Wed, 18 Jul 2001 13:58:17 -0700 (PDT) (envelope-from chris@potamus.org) Received: from chris ([24.250.134.165]) by femail2.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010718205816.ZOFR10346.femail2.sdc1.sfba.home.com@chris> for ; Wed, 18 Jul 2001 13:58:16 -0700 Message-ID: <001101c10fcc$7a7927f0$a586fa18@chris> From: "Chris Peterson" To: Subject: Re: TCP Initial Sequence Numbers: We need to talk Date: Wed, 18 Jul 2001 13:59:04 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Steve Gibson has written a paper describing his algorithm (called GENESIS) to defend against SYN floods. I don't know if he has implemented it or if his idea is even feasible. His algorithm is so simple, I suspect he must be overlooking something. Basically, he proposes that the server responds to client SYNs with a SYN/ACK whose ISN is the client SYN's ISN plus the RC5 encrypted client source IP address. When the server receives an ACK reply, it subtracts the client's ACK ISN and decrypts the result. If the decrypted value equals the client's source IP address, then this is a valid ACK. The server postpones maintaining TCP connection state until after receiving a valid ACK reply to its SYN/ACK. More information about GENESIS: http://grc.com/r&d/nomoredos2.htm chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message