There is a definitive solution to the Denial of Service attacks based on SYN and ACK address spoofing.
The solution comes from
Steve Gibson and is called GENESIS (Gibson's ENcryption-Enhanced Spoofing Immunity System)
I base myself on FlameBoy excellent writeup for the vocabulary, so read it first.
Here is how it works:
-
Upon reception of the SYN packet from the client (user) browser, the server encrypts the client IP and adds to it the Client's Initial Sequence Number (CISN)
( number used to order the different packets sent over the internet in the right order at both ends) and send the whole as its own server SYN/ACK packet. the server does not hold this information in memory, hence no resource can be abused this way. If the IP is fake, the packet is lost, end of the story.
- The client responds to this server SYN/ACK packet by its own ACK that includes the encrypted string.
- Upon reception by the server, it subtracts the CISN from the ACK packet, decrypts the encrypted IP and compares it with the one declared by the client. If it matches: Bingo, the IP is authentic and was the one that sent the SYN packet in the first place. If not, the ACK is a fake and can be ignored.
According to the author, it can be implemented on any server as it fully complies with the TCP/IP protocol.
I do not intend to plagiarise Steve Gibson's already extremely comprehensive page so you should check it by yourself for crystal clear and detailed explanations : http://grc.com/r&d/nomoredos2.htm
Update October 14 2001:
This method appears to be flawed : see cordelia's write-up below for details.