TCP SYN cookies
SYN cookies were created in September 1996, by Daniel J. Bernstein and Eric Schenk. One month later, they were implemented by Jeff Weisberg for SunOS, and Eric Schenk did the same for Linux 2.0.29 in February 1997, and this ended up being merged in the form of a reworked patch from Andi Kleen, in Linux 2.1.44. They were enabled by default in Ubuntu 9.04, in April 2009.
The idea behind it is to defend against SYN
flood by using a MAC construction
(containing an expiration date and the
the sequence number of the
ACK, since the client’
must contain the sequence number
incremented by one. This allows the server to verify, without keeping states on
its side, that the client sending the
SYN ACK is one that previously sent
SYNC. This approach has some
drawbacks, but is widely accepted as the
less worse™ way to deal with
They were implemented in OpenBSD in February 2018, by Henning Brauer, and landed in OpenBSD 6.3, released in April 2018.
Amusingly, OpenBSD was vulnerable to hashtables collisions in its SYN cache implementation, until Alexander Bluhm fixed it in March 2016.
This is a basic mitigation against SYN-flood attacks, and while it was useful in 1997, it’s pretty much useless nowadays because everyone can rent some botnet and DDoS you with terabytes of traffic. The only case where it could be useful now, is to defend against someone DoS’ing you on your LAN, in which case, you usually have bigger problems.
It’s a bit sad that it took OpenBSD 10 years to implement it.