For some version numbers ago, an undocumented parameter “TCP SynCookie” in connection tracking was introduced. It is default disabled.
Can someone please explain, what this cookie does ?
Thanks
Which must be the worst explanation I’ve ever seen.
From Troubleshooting Linux Firewalls (Shinn, 2005):
To help prevent SYN flood attacks, the 2.4 and 2.6 kernels, if compiled with this option, have the ability to send out what are refered to as “SYN cookies”. These are basically ACK packets that contain a little cryptographic hash, which the responding client will echo back with as part of its SYN-ACK packet. If the kernel doesn’t see this “cookie” in the reply packet, it will assume the connection is bogus and drop it. The kernel will only send SYN cookies if the SYN socket buffer is backlogged.
Which is a little clearer.
Regards
Andrew
Are there any end devices that don’t support this hash? Any risk of using syn cookies? Will devices make pre 19XX not work anymore, etc?
Sam
Just to clarify, I wasn’t aiming at Yancho with my last post. It’s the Wikipedia article that’s obscure.
An interesting question, Sam, which requires rather more time to research than I have available at present (at least until I get this Cisco exam out of the way again!). I’d be interested in anyone elses thoughts on this. They’re incompatible with Transactional TCP, but I haven’t come across this being used anywhere.
Regards
Andrew
I think this is safe to use as I think most Linux installs enable this by default now, and if not, it’s one of the first recommend settings to turn on for a Linux firewall/router box. I’ve never encountered an issue when using it. Hopefully it will be the same for a MT gateway 
You’re right about the Wikipedia explaination - doesn’t really help much, but they refer to the article that explains it in full which is a little better.