Gibson's ENcryption-Enhanced Spoofing Immunity System

Edited: Apr 21, 2006 at 17:56. . . because sometimes it IS rocket science!

A Simple TCP/IP Implementation Enhancement to
Eliminate Denial of Service (DoS) Vulnerability

Part III - Acknowledgement of Previous Work

by Steve Gibson

 Any and all original intellectual property which may have
been created by this Work is hereby formally and freely placed
into the PUBLIC DOMAIN by this author, the Work's originator
and/or inventor, Steven M. Gibson, Laguna Hills, CA, USA.

It is my belief and sincere hope that it will be of value to the
Internet community for the benefit of all Internet users.

Part 0 - The Genesis of GENESIS
Part I - Understanding the Problem
Part II - Exploring the Solution
Part III - Acknowledgement of Previous Work

Acknowledgement of previous work

The Denial of Service resulting from a SYN flood with deliberately spoofed and changing source IPs is such a "low-tech" yet effective and anonymous assault that its mitigation and/or prevention has naturally received the attention of many talented and creative minds in the past.

As part of the implementation of a custom designed TCP/IP protocol stack to support our new NanoProbe™ technology, I designed a simple, straightforward, and robust solution to protect the stack from spoofed-IP Denial of Service SYN flood attacks.

Immediately after I posted the second part of this work to the web, several participants in the news groups at grc.com reported that similar work had been done before. I was unaware of previous work in this area, and consequently developed my solution independently and without the benefit of any previous work. However, since I have absolutely no intention or desire to assume credit for innovation which is not due, I feel it is important for previous work to be acknowledged and credited to its originators.

Anyone able to provide additional specific information relating to similar techniques for managing Denial of Service attacks, is encouraged to send a note to me, care of my company, Gibson Research Corporation, at . I would very much appreciate having any specific details which may be available about any other solutions or systems that have been designed or created, and I will immediately incorporate a disclosure, analysis, and comparison of them here.

Linux "SYN Cookies"

After tracking down every one of the "this has all been done before" leads, I found that they all converged on one place: During September and October of 1996 two researchers, Dan Bernstein and Eric Schenk, proposed and worked out the specific implementation details for a system which is known today as "SYN Cookies". Shortly afterward, Eric added the SYN Cookie code to Linux where it survives, and can optionally be enabled, to this day.

As you can see from Dan's page — which clearly describes the operation and formulation of their Cookies — the Berntstein/Schenk SYN Cookies are quite different and therefore have different characteristics from my "Encrypted Token" solution. However, both systems share the common concept which I called "deferred connection management", and both systems succeed in enforcing Client source IP authentication.

Theirs is a great solution too, and I am glad to learn that, as a result of their work, Linux has acquired such robust Denial of Service protection, and moreover, that it has it built-in! It is a shame that this four-year-old technique has not become more prevalent or received more attention.

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Apr 21, 2006 at 17:56 (4,354.22 days ago)Viewed 1 times per day