The TCP/IP handshake protocol has been used with great success in enabling communication over the Internet. However, some drawbacks with the TCP/IP handshake protocol include the lack of strong authentication within the protocol messages, including the SYN message, and the SYN-ACK message. Because state information must be stored by the client and/or server for each new connection, the TCP/IP handshake protocol may be prone to resource exhaustion attacks, such as SYN floods. One solution to this problem is the use of SYN cookies.
A SYN cookie is an initial TCP/IP acknowledgement number determined by a TCP/IP server and sent in packages within the TCP/IP handshake protocol. The SYN cookie includes state information, such as a counter, a maximum segment size for a SYN message, a secret based on the cryptographic hash of an IP address, port number and/or counter, or the like. The state information may be stored in different parts of the SYN cookies. For example, the first five bits of the SYN cookie may include the counter, the next three bits may include an encoding of the maximum segment size, and at least a portion of the remaining bits may include the cryptographic secret. The SYN cookie is sent in the SYN-ACK message sent from the server to the client. The client sends the ACK message back to the server. The ACK message includes the TCP/IP acknowledgement number plus one. The server retrieves the TCP/IP acknowledgement number plus one, and subtracts one from the number. The server thus obtains the SYN cookie from the ACK message. The server is then able to check if the SYN cookie is valid based on the state information stored in the SYN cookie. For example, the server may extract the counter and/or decode the maximum segment size, and the received cryptographic secret. The server may compute another cryptographic secret based on the received counter, the server's IP address, port number, or the like. If the other cryptographic secret matches the received cryptographic secret, then the SYN cookie is determined to be valid and the TCP/IP connection is established.
Generally SYN cookies allow a server to reduce state storage, network resources, or other resources for a possible TCP/IP connection. However, SYN cookies do not address the reduction of state storage by clients. It is with respect to this consideration and others that the current invention is directed.