CSE 127 Lecture Notes - Lecture 18: Syn Cookies, Syn Flood, Routing Table

Attack against availability, not confidentiality, integrity, authenticity, etc. Logic vulnerabilities: exploit bugs to cause crash. Lots of hosts attack a victim at once. Can cause new connection to be dropped and existing connections to time-out . Make db process a lot of queries. Find all instances of something (looking through many entries) Attack: attack cache using lots of random queries. If attack > forwarding capacity, good data will be dropped! Network egress : filter packets on a link whose src addr are not reached using the link as the next hop (i. e this couldn"t be your src addr) Network ingress : filter packets whose src address are not in the routing table at all. Issue: allocating per tcp session state is expensive. Delay allocation of state until remote host commits to 3-way handshake. Send back syn/ack packet w/o allocating state on server; server"s initial sequence # (isn) encodes a secret cookie that is function of {src, dst, srcport, dstport, time}