G.E.N.E.S.I.S.
Gibson's ENcryption-Enhanced Spoofing Immunity System



Edited: Jan 12,2001 at 16:23 (-0700 UTC) . . . because sometimes it IS rocket science!

A Simple TCP/IP Implementation Enhancement to
Eliminate Denial of Service (DoS) Vulnerability


Part III - Acknowledgement of Previous Work

by Steve Gibson


  Any and all original intellectual property which may have
been created by this Work is hereby formally and freely placed
into the PUBLIC DOMAIN by this author, the Work's originator
and/or inventor, Steven M. Gibson, Laguna Hills, CA, USA.

It is my belief and sincere hope that it will be of value to the
Internet community for the benefit of all Internet users.
 

Part I - Understanding the Problem
Part II - Exploring the Solution
Part III - Acknowledgement of Previous Work



Acknowledgement of previous work

The Denial of Service resulting from a SYN flood with deliberately spoofed and changing source IPs is such a "low-tech" yet effective and anonymous assault that its mitigation and/or prevention has naturally received the attention of many talented and creative minds in the past.

As part of the implementation of a custom designed TCP/IP protocol stack to support our new NanoProbe™ technology, I designed a simple, straightforward, and robust solution to protect the stack from spoofed-IP Denial of Service SYN flood attacks.

Immediately after I posted the second part of this work to the web, several participants in the news groups at grc.com reported that similar work had been done before. I was unaware of previous work in this area, and consequently developed my solution independently and without the benefit of any previous work. However, since I have absolutely no intention or desire to assume credit for innovation which is not due, I feel it is important for previous work to be acknowledged and credited to its originators.

Anyone able to provide additional specific information relating to similar techniques for managing Denial of Service attacks, is encouraged to send a note to me, care of my company, Gibson Research Corporation, at support@grc.com. I would very much appreciate having any specific details which may be available about any other solutions or systems that have been designed or created, and I will immediately incorporate a disclosure, analysis, and comparison of them here.




Linux "SYN Cookies"

After tracking down every one of the "this has all been done before" leads, I found that they all converged on one place: During September and October of 1996 two researchers, Dan Bernstein and Eric Schenk, proposed and worked out the specific implementation details for a system which is known today as "SYN Cookies". Shortly afterward, Eric added the SYN Cookie code to Linux where it survives, and can optionally be enabled, to this day.

As you can see from Dan's page — which clearly describes the operation and formulation of their Cookies — the Berntstein/Schenk SYN Cookies are quite different and therefore have different characteristics from my "Encrypted Token" solution. However, both systems share the common concept which I called "deferred connection management", and both systems succeed in enforcing Client source IP authentication.

Theirs is a great solution too, and I am glad to learn that, as a result of their work, Linux has acquired such robust Denial of Service protection, and moreover, that it has it built-in! It is a shame that this four-year-old technique has not become more prevalent or received more attention. It should.

Please note also: Earlier versions of this page contained a number of inaccurate conclusions based upon code contained within archived discussion threads and anecdotal evidence. It was all I was able to find at the time, but that information did not represent the current implementation of Linux's SYN Cookies. In my surprise and haste to determine what had been done before — and draw some conclusions and comparisons — I was using obsolete information. After I found Dan's page, and contacted him, he was able to separate the facts from the fiction. I wish to apologize for any confusion I created from my own initial confusion!




All comments are invited and welcome.
Please write to: support@grc.com.

All the best.


Purchase Info      GRC Mail System     
GRC's Homepage
     Tech Support     
Purchasing Info      GRC Mail System      To GRC's Home      Tech Support      Discussions

The contents of this page are Copyright (c) 2000 by Gibson Research Corporation.
SpinRite, ChromaZone, ShieldsUP, NanoProbe, the character 'Moe' (shown above),
and the slogan "It's MY Computer" are registered trademarks of Gibson Research
Corporation (GRC), Laguna Hills, CA, USA. GRC's web and customer privacy policy.
~ ~ ~