TCP SYN cookies

SYN cookies were created in September 1996, by Daniel J. Bernstein and Eric Schenk. One month later, they were implemented by Jeff Weisberg for SunOS, and Eric Schenk did the same for Linux 2.0.29 in February 1997, and this ended up being merged in the form of a reworked patch from Andi Kleen, in Linux 2.1.44. They were enabled by default in Ubuntu 9.04, in April 2009.

The idea behind it is to defend against SYN flood by using a MAC construction (containing an expiration date and the MSS) for the sequence number of the ACK, since the client’ SYN ACK must contain the sequence number incremented by one. This allows the server to verify, without keeping states on its side, that the client sending the SYN ACK is one that previously sent SYNC. This approach has some drawbacks, but is widely accepted as the less worse™ way to deal with SYN flood.

They were implemented in OpenBSD in February 2018, by Henning Brauer, and landed in OpenBSD 6.3, released in April 2018.

Amusingly, OpenBSD was vulnerable to hashtables collisions in its SYN cache implementation, until Alexander Bluhm fixed it in March 2016.

This is a basic mitigation against SYN-flood attacks, and while it was useful in 1997, it’s pretty much useless nowadays because everyone can rent some botnet and DDoS you with terabytes of traffic. The only case where it could be useful now, is to defend against someone DoS’ing you on your LAN, in which case, you usually have bigger problems.

It’s a bit sad that it took OpenBSD 10 years to implement it.