[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tcp Syncookies vulnarability

On Mon, May 13, 2002 at 06:37:29AM -0700, sim ton wrote:
>  correct magic cookie. In order to find the correct cookie, an
>  attacker has to explore about 16 million values (2^24), which can be
>  done in a few hours on a fast link.

This is no longer a problem for Linux, cause it includes a timestamp and
will chnage the secret code for the cookies regularly,  effectively
reducing the time window one can try valid cookies to a timeframe which is
not exploitable over internet links.

> my question is still the same:
> is tcp_syncookies reliable ?

If you do not use services on your DMZ Servers whch you do not want to be
available on internet, then syn cookies are safe. Cause your firewall does
not restrict the access.

If you have to run services on DMZ servers which should be blocked by a
firewall, then make sure you not only filter on incoming SYN, but also on
ACK packages, if you want to be absolutely sure the brute force cant be


To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: