SYN cookies are the method a server can defend itself against a SYN attack.

The fundamental principle behind the SYN cookie is that the server's SYN-ACK contains some secret, non-reusable token that the client will re-present in the third step of the handshake. Typically, a server will *not* use SYN cookies until it comes under attack, as SYN cookies are computationally expensive.

The SYN cookie is used to determine the starting ISN selected for a connection. There are various implementations, including Steve Gibson's flawed GENESIS approach. Normal approaches will compute the hash of:

And use this as the cookie. When the server is presented with an ACK, they attempt to regenerate the cookie, using the two most recent time quantiles as guesses. If they can regenerate the cookie, they'll believe this to be a valid packet.