SYN Cookies - Implementation

Implementation

In order to initiate a TCP connection, the client sends a TCP SYN packet to the server. In response, the server sends a TCP SYN+ACK packet back to the client. One of the values in this packet is a sequence number, which is used by the TCP to reassemble the data stream. According to the TCP specification, that first sequence number sent by an endpoint can be any value as decided by that endpoint. SYN cookies are initial sequence numbers that are carefully constructed according to the following rules:

let t be a slowly incrementing timestamp (typically time logically right-shifted 6 positions, which gives a resolution of 64 seconds)
let m be the maximum segment size (MSS) value that the server would have stored in the SYN queue entry
let s be the result of a cryptographic hash function computed over the server IP address and port number, the client IP address and port number, and the value t. The returned value s must be a 24-bit value.

The initial TCP sequence number, i.e. the SYN cookie, is computed as follows:

First 5 bits: t mod 32
Next 3 bits: an encoded value representing m
Final 24 bits: s

(Note: since m must be encoded using 3 bits, the server is restricted to sending up to 8 unique values for m when SYN cookies are in use.)

When a client sends back a TCP ACK packet to the server in response to the server's SYN+ACK packet, the client MUST (according to the TCP spec) use n+1 in the packet's Acknowledgement number, where n is the initial sequence number sent by the server. The server then subtracts 1 from the acknowledgement number to reveal the SYN cookie sent to the client.

The server then performs the following operations.

Checks the value t against the current time to see if the connection has expired.
Recomputes s to determine whether this is, indeed, a valid SYN cookie.
Decodes the value m from the 3-bit encoding in the SYN cookie, which it then can use to reconstruct the SYN queue entry.

From this point forward, the connection proceeds as normal.