Date: Wed, 18 Jul 2001 13:59:04 -0700 From: "Chris Peterson" <chris@potamus.org> To: <freebsd-arch@freebsd.org> Subject: Re: TCP Initial Sequence Numbers: We need to talk Message-ID: <001101c10fcc$7a7927f0$a586fa18@chris>
next in thread | raw e-mail | index | archive | help
Steve Gibson has written a paper describing his algorithm (called GENESIS) to defend against SYN floods. I don't know if he has implemented it or if his idea is even feasible. His algorithm is so simple, I suspect he must be overlooking something. Basically, he proposes that the server responds to client SYNs with a SYN/ACK whose ISN is the client SYN's ISN plus the RC5 encrypted client source IP address. When the server receives an ACK reply, it subtracts the client's ACK ISN and decrypts the result. If the decrypted value equals the client's source IP address, then this is a valid ACK. The server postpones maintaining TCP connection state until after receiving a valid ACK reply to its SYN/ACK. More information about GENESIS: http://grc.com/r&d/nomoredos2.htm chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c10fcc$7a7927f0$a586fa18>