Home / server / Questions / 549630
Accepted
Emiswelt
Asked: 2013-10-31 03:48:12 +0800 CST

TCP syn cookie calculation on Windows Server

  • 772

Windows Server uses uses TCP syn cookies to protect itself from syn-flooding attacks.

Is it known, how the operating system (Windows Server 2008 R2 and Windows Server 2012) calculates the syn cookie? If so, how is the calculation done?

windows-server-2008-r2

1 Answers

  1. Best Answer

    The formula is given on Wikipedia - http://en.wikipedia.org/wiki/SYN_cookies

    • let t be a slowly incrementing timestamp (typically time() logically right-shifted 6 positions, which gives a resolution of 64 seconds)
    • let m be the maximum segment size (MSS) value that the server would have stored in the SYN queue entry
    • let s be the result of a cryptographic hash function computed over the server IP address and port number, the client IP address and port number, and the value t. The returned value s must be a 24-bit value.

    The initial TCP sequence number, i.e. the SYN cookie, is computed as follows:

    • First 5 bits: t mod 32
    • Next 3 bits: an encoded value representing m
    • Final 24 bits: s

    Only Microsoft know for sure if this is how Windows implements SYN Cookies, because it's closed source, but for interoperability with other OSes it would make sense to follow this formula.

    You can see one implementation of SYN Cookies in net/ipv4/syncookies.c in Linux.

    • 2